Lars Krapf created SLING-9767:
---------------------------------
Summary: Insecure Recommendation in Dynamic Include Documentation
Key: SLING-9767
URL: https://issues.apache.org/jira/browse/SLING-9767
Project: Sling
Issue Type: Improvement
Components: Documentation
Affects Versions: Dynamic Include 3.2.0
Reporter: Lars Krapf
The [documentation for the Sling Dynamic
Includes|https://sling.apache.org/documentation/bundles/dynamic-includes.html#enabling-ssi-in-apache-with-the-aem-dispatcher-module]
mentions the following:
bq. Having added the SetOutputFilter directive, open the virtual host's
configuration and add the Includes option to the Options directive:
This is an extremely unsafe recommendation. The "Includes" option will allow
anyone who can change content on the backend (e.g. AEM) to run arbitrary
commands on the webserver (dispatcher), by injecting the {{<!--#exec-->}}
directive.
The recommendation should be to use the "IncludesNOEXEC" option instead, which
will only allow to include static content (with a "safe" mime-type such as HTML
or plain-text).
See also: http://httpd.apache.org/docs/current/mod/mod_include.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
