[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286151#comment-17286151 ]
Konrad Windszus edited comment on SLING-10147 at 2/17/21, 9:31 PM: ------------------------------------------------------------------- See the discussion at SLING-3543. Exposing the bindings requires a real Sling Servlet Request, therefore this generic servlet binding. Doing the same kind of access check requires probably a dependency on the WebConsoleSecurityProvider service. But IMHO that service is optional (even with Sling) so it must also work without it. Maybe reusing the OsgiManagerHttpContext is an option (https://github.com/apache/felix-dev/blob/e8fbf5bae0b736e187f603ae05d5b2ebeafb7973/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L961) was (Author: kwin): See the discussion at SLING-3543. Exposing the bindings requires a real Sling Servlet Request, therefore this generic servlet binding. Doing the same kind of access check requires probably a dependency on the WebConsoleSecurityProvider service. But IMHO that service is optional (even with Sling) so it must also work without it. > scripting variables implementation details are exposed to not authorized users > ------------------------------------------------------------------------------ > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug > Reporter: Eric Norman > Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)