On Fri, May 4, 2012 at 11:24 AM, Chetan Mehrotra <[email protected]> wrote: > Sure ... or we can keep the service disabled by default and the plugin page > displays a message that it should be enabled before being used. And then a > user can enable it from WebConsole...
That would be good, and maybe include a note about the security implications in that message. We can add that after committing your patch anyway, no need to change it now - I added a note about that in SLING-2463. -Bertrand > On Fri, May 4, 2012 at 1:46 PM, Bertrand Delacretaz > <[email protected]>wrote: > >> Hi Chetan, >> >> On Fri, May 4, 2012 at 5:18 AM, Chetan Mehrotra >> <[email protected]> wrote: >> > ...Let me know if any other change is required from my side for this >> feature >> > to be included in Sling... >> >> I haven't looked in detail yet, but IIUC your service allows arbitrary >> code to be executed from a POST request (which is cool in the context >> of testing that I saw in your example). >> >> As that can be a security risk, maybe it would be good to have some >> form of warning, that people must be aware of the implications if >> enabling that service? Maybe just a WARN log message at activation >> time, or something similar that reasonable users shouldn't ignore. >> >> -Bertrand >>
