Author: cziegeler Date: Wed Oct 12 06:54:54 2016 New Revision: 1764391 URL: http://svn.apache.org/viewvc?rev=1764391&view=rev Log: SLING-5135 - whitelist legit usages of loginAdministrative. Make sure to not pass bundle/subservice to clients
Modified: sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java Modified: sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java URL: http://svn.apache.org/viewvc/sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java?rev=1764391&r1=1764390&r2=1764391&view=diff ============================================================================== --- sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java (original) +++ sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java Wed Oct 12 06:54:54 2016 @@ -68,7 +68,10 @@ public class ResourceResolverControl { private static final Logger logger = LoggerFactory.getLogger(ResourceResolverControl.class); - private static final String FORBIDDEN_ATTRIBUTE = ResourceResolverFactory.PASSWORD; + private static final String[] FORBIDDEN_ATTRIBUTES = new String[] { + ResourceResolverFactory.PASSWORD, + ResourceProvider.AUTH_SERVICE_BUNDLE, + ResourceResolverFactory.SUBSERVICE}; /** Is this a resource resolver for an admin? */ private final boolean isAdmin; @@ -329,7 +332,9 @@ public class ResourceResolverControl { if ( this.authenticationInfo != null ) { names.addAll(authenticationInfo.keySet()); } - names.remove(FORBIDDEN_ATTRIBUTE); + for(final String key : FORBIDDEN_ATTRIBUTES) { + names.remove(key); + } return names; } @@ -339,8 +344,10 @@ public class ResourceResolverControl { * the providers. */ public Object getAttribute(final ResourceResolverContext context, final String name) { - if (FORBIDDEN_ATTRIBUTE.equals(name)) { - return null; + for(final String key : FORBIDDEN_ATTRIBUTES) { + if (key.equals(name)) { + return null; + } } for (final AuthenticatedResourceProvider p : context.getProviderManager().getAllBestEffort(getResourceProviderStorage().getAttributableHandlers(), this)) { final Object attribute = p.getAttribute(name);