svn commit: r1764391 - /sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java

Tue, 11 Oct 2016 23:55:49 -0700 

Author: cziegeler
Date: Wed Oct 12 06:54:54 2016
New Revision: 1764391

URL: http://svn.apache.org/viewvc?rev=1764391&view=rev
Log:
SLING-5135 - whitelist legit usages of loginAdministrative. Make sure to not 
pass bundle/subservice to clients

Modified:
    
sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java

Modified: 
sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java
URL: 
http://svn.apache.org/viewvc/sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java?rev=1764391&r1=1764390&r2=1764391&view=diff
==============================================================================
--- 
sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java
 (original)
+++ 
sling/trunk/bundles/resourceresolver/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java
 Wed Oct 12 06:54:54 2016
@@ -68,7 +68,10 @@ public class ResourceResolverControl {
 
     private static final Logger logger = 
LoggerFactory.getLogger(ResourceResolverControl.class);
 
-    private static final String FORBIDDEN_ATTRIBUTE = 
ResourceResolverFactory.PASSWORD;
+    private static final String[] FORBIDDEN_ATTRIBUTES = new String[] {
+            ResourceResolverFactory.PASSWORD,
+            ResourceProvider.AUTH_SERVICE_BUNDLE,
+            ResourceResolverFactory.SUBSERVICE};
 
     /** Is this a resource resolver for an admin? */
     private final boolean isAdmin;
@@ -329,7 +332,9 @@ public class ResourceResolverControl {
         if ( this.authenticationInfo != null ) {
             names.addAll(authenticationInfo.keySet());
         }
-        names.remove(FORBIDDEN_ATTRIBUTE);
+        for(final String key : FORBIDDEN_ATTRIBUTES) {
+            names.remove(key);
+        }
         return names;
     }
 
@@ -339,8 +344,10 @@ public class ResourceResolverControl {
      * the providers.
      */
     public Object getAttribute(final ResourceResolverContext context, final 
String name) {
-        if (FORBIDDEN_ATTRIBUTE.equals(name)) {
-            return null;
+        for(final String key : FORBIDDEN_ATTRIBUTES) {
+            if (key.equals(name)) {
+                return null;
+            }
         }
         for (final AuthenticatedResourceProvider p : 
context.getProviderManager().getAllBestEffort(getResourceProviderStorage().getAttributableHandlers(),
 this)) {
             final Object attribute = p.getAttribute(name);

Reply via email to