potiuk commented on PR #2923: URL: https://github.com/apache/jackrabbit-oak/pull/2923#issuecomment-4618441744
Thanks @mreutegg, @mbaedke, @reschke, @rishabhdaim — pushed a revision addressing the review: - **Runtime corrected to Java 17** (oak-parent/pom.xml; cites PR #2927 / the README fix). — @mreutegg - **Trust boundary widened** to "the JCR Session / Oak ContentSession API surface, including all immediately derived interfaces" (Workspace, QueryManager, ObservationManager, AccessControlManager, UserManager, …); **XML import + SQL2/XPath parsing now in-model** with a new property + entry-point rows (XXE = VALID); the JCR-API → Oak-API security-entity mapping is explicitly in scope. — @mbaedke - **Error messages:** leaking the *existence* of an unauthorized path is acceptable; leaking the *path itself* is VALID. — @mbaedke - **oak-http + oak-run server (:8080)** added to the component table; softened the "no network listener" wording so HTTP-surface findings aren't mis-triaged as host-only; aligned `oak-standalone` (under `oak-examples/standalone`) with §3. — @rishabhdaim - Noted the shared Jackrabbit bundles used by both Filevault and Oak (commons lib, JCR/SPI, oak-run/upgrade) + the #2927 cross-reference. — @reschke On **TarMK**: @mbaedke flagged it as entirely Oak's responsibility (in-model) while @reschke was unsure — so rather than pick a side I've kept TarMK **in-scope with an open §14 question (Q2a)** for the PMC to settle. Same for the XXE default-config question (Q1a). Pushback welcome on either. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
