[
https://issues.apache.org/jira/browse/SLING-5?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488710#comment-17488710
]
Lars Krapf commented on SLING-5:
[~angela]:
bq. what do you have in mind when you refer
[
https://issues.apache.org/jira/browse/SLING-5?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17486456#comment-17486456
]
Lars Krapf commented on SLING-5:
[~cziegeler]:
bq. How should such an exclude list look like
Lars Krapf created SLING-5:
--
Summary: Allow path exemptions for referrer filter
Key: SLING-5
URL: https://issues.apache.org/jira/browse/SLING-5
Project: Sling
Issue Type
[
https://issues.apache.org/jira/browse/SLING-10225?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17304160#comment-17304160
]
Lars Krapf commented on SLING-10225:
Hello [~rombert]
I agree that the fix for SLING-9741, i.e
Lars Krapf created SLING-9767:
-
Summary: Insecure Recommendation in Dynamic Include Documentation
Key: SLING-9767
URL: https://issues.apache.org/jira/browse/SLING-9767
Project: Sling
Issue Type
Lars Krapf created SLING-9741:
-
Summary: Invalid path decomposition in case of multiple dots
Key: SLING-9741
URL: https://issues.apache.org/jira/browse/SLING-9741
Project: Sling
Issue Type: Bug
Lars Krapf created SLING-9740:
-
Summary: Invalid handling of requests containing URL path
parameters
Key: SLING-9740
URL: https://issues.apache.org/jira/browse/SLING-9740
Project: Sling
Issue
Lars Krapf created SLING-9739:
-
Summary: Wrong decomposition/resolution in Servlets Resolver Plugin
Key: SLING-9739
URL: https://issues.apache.org/jira/browse/SLING-9739
Project: Sling
Issue
Lars Krapf created SLING-9441:
-
Summary: Sling POST servlet responds with 500 if target is not
modifiable
Key: SLING-9441
URL: https://issues.apache.org/jira/browse/SLING-9441
Project: Sling
[
https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17032288#comment-17032288
]
Lars Krapf commented on SLING-9043:
---
[~reschke], [~kwin]:
[~sonagupt] has updated the PR and added
[
https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17031455#comment-17031455
]
Lars Krapf commented on SLING-9043:
---
[~kwin]: Yes, with proper CORS configuration this issue
[
https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17031428#comment-17031428
]
Lars Krapf commented on SLING-9043:
---
Hello [~reschke]
COPY (and yes, MOVE as well) are state-changing
Lars Krapf created SLING-:
-
Summary: XSSFilter is rejecting URLs containing only queries or
fragments
Key: SLING-
URL: https://issues.apache.org/jira/browse/SLING-
Project: Sling
Hello list
IIUC the Sling Authenticator chooses an authentication handler based on
the request path, and *not* on the mapped path.
So (please correct me if I'm wrong), it seems not possible to have two
different internalRedirects from domain-names to sub-paths, which are
covered by two different
Lars Krapf created SLING-6438:
-
Summary: Add encodeForHTMLAttrName() to XSSAPI
Key: SLING-6438
URL: https://issues.apache.org/jira/browse/SLING-6438
Project: Sling
Issue Type: Improvement
[
https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15427306#comment-15427306
]
Lars Krapf edited comment on SLING-4560 at 8/18/16 10:47 PM:
-
Hello
[
https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15427306#comment-15427306
]
Lars Krapf edited comment on SLING-4560 at 8/18/16 10:47 PM:
-
Hello
[
https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lars Krapf updated SLING-4560:
--
Attachment: xssapi.patch
Adding potential patch.
> XSSAPI#getValidHref is empty for valid Beng
[
https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15427306#comment-15427306
]
Lars Krapf edited comment on SLING-4560 at 8/18/16 10:44 PM:
-
Hello
[
https://issues.apache.org/jira/browse/SLING-4560?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15427306#comment-15427306
]
Lars Krapf commented on SLING-4560:
---
Hello [~radu.cotescu]
With this change {{onSiteURL}} will accept
Lars Krapf created SLING-5675:
-
Summary: Logout only called if AuthenticationHandler is registered
to "/"
Key: SLING-5675
URL: https://issues.apache.org/jira/browse/SLING-5675
Proj
Hello Daniel
On 28.05.2015 10:11, Daniel Sungjin Jung wrote:
Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not
recommended in production service.
I’d like to know what specific security risks we face if we turn it on for
production service.
Apart from the obvious cases
Lars Krapf created SLING-4701:
-
Summary: SlingAuthenticator.isAnonAllowed matches for all paths
starting with the same characters
Key: SLING-4701
URL: https://issues.apache.org/jira/browse/SLING-4701
[
https://issues.apache.org/jira/browse/SLING-4701?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lars Krapf updated SLING-4701:
--
Attachment: SlingAuthenticator.patch
Attached possible patch.
SlingAuthenticator.isAnonAllowed
[
https://issues.apache.org/jira/browse/SLING-4413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lars Krapf updated SLING-4413:
--
Summary: :applyTo should send 403 instead of 500 when operation fails
(was: :applyTo should send 403
Lars Krapf created SLING-4414:
-
Summary: :applyTo should only apply to requested resource (and
below)
Key: SLING-4414
URL: https://issues.apache.org/jira/browse/SLING-4414
Project: Sling
Issue
Lars Krapf created SLING-4415:
-
Summary: :applyTo should not display changeLog (when operation
fails)
Key: SLING-4415
URL: https://issues.apache.org/jira/browse/SLING-4415
Project: Sling
Issue
Lars Krapf created SLING-4413:
-
Summary: :applyTo should send 403 instead of 500 when operation
fails
Key: SLING-4413
URL: https://issues.apache.org/jira/browse/SLING-4413
Project: Sling
Issue
Hello Marius
It depends on the use-case. In examples like yours a service-user would
most probably be the right choice. In other examples, for instance a job
that processes an asset, the job should be performed with the privileges
of the triggering user, to limit the possibilities of an potential
a resource resolver
based on that value. But I think this has to be done on a job by job base.
Or do you see a general mechanism which always gets the subject of the
sender?
Carsten
2014-05-13 17:21 GMT+02:00 Lars Krapf lkr...@adobe.com:
Hello list
When processing events and jobs
Hello list
When processing events and jobs, the corresponding subject triggering
the event usually gets lost. This lead to event handlers / job consumers
often operating with administrative sessions/resolvers to do their work,
which in turn can lead to privilege escalations.
A possible solution
On 16.01.2014 23:28, Alexander Klimetschek wrote:
On 16.01.2014, at 05:19, Carsten Ziegeler cziege...@apache.org wrote:
Eagerly waiting for a patch which implements this :)
He he :)
This isn’t meant as something we should have soon - it is meant as a goal to
guide around the jcr login
Hello Ian
On 17.01.2014 12:19, Ian Boston wrote:
[...]
What was the problem with TrustedCredentials ? I might be thinking of
the wrong thing and you might be talking about something different.
When I talk about trusted credentials, I refer only to the previous
implementation that relied
Hello Alex
As long as reflection is still permitted I think you could get around
most (all?) of these restrictions.
I'm pretty sure this can only be solved properly on VM level
(SecurityManager).
Cheers
Lars
On 15.01.2014 23:53, Alexander Klimetschek wrote:
On 15.01.2014, at 01:34,
Lars Krapf created SLING-2966:
-
Summary: Insufficient synchronization in SlingAuthenticator
Key: SLING-2966
URL: https://issues.apache.org/jira/browse/SLING-2966
Project: Sling
Issue Type: Bug
[
https://issues.apache.org/jira/browse/SLING-2966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lars Krapf updated SLING-2966:
--
Attachment: sling_authenticator.patch
Attached a possible patch: synchronizing the whole
Hello
Please accept my 2.3 cents to this discussion:
I really agree with Angela and Bertrand on this one.
Something that could be called AccessGate is clearly a security
mechanism, and should thus be designed with single point of access in
mind.
Having ACL evaluations scattered among the
Hello Carsten
On 03/06/2013 12:45 PM, Carsten Ziegeler wrote:
2013/3/6 Lars Krapf lkr...@adobe.com:
if time-based access control
is really needed.
Time based access restriction is one of the main use cases as Mike has
explained repeatedly.
Yes - I understand that. The important part of my
38 matches
Mail list logo