[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286185#comment-17286185 ]
Eric Norman edited comment on SLING-10147 at 2/17/21, 10:44 PM: ---------------------------------------------------------------- [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned (or use OptingServlet)? was (Author: enorman): [~kwin] Yes, that was my conclusion as well. My first thought was the simple solution of using a reference to a WebConsoleSecurityProvider service that implements the WebConsoleSecurityProvider2 interface and call WebConsoleSecurityProvider2#authenticate to do the validate the security credentials. That works ok when that service exists, but if there is no such service then the security checks become more complex and rely on the some internal implementation details... How would you feel about changing the request flow a bit, so the all the calls from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that sets some value as a request attribute and then forwards as a GET request for processing the response? Then changes can be made to ensure that any request to the SlingBindingsVariablesListJsonServlet that arrives without the expected request attribute is rejected and 404 is returned? > scripting variables implementation details are exposed to not authorized users > ------------------------------------------------------------------------------ > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug > Reporter: Eric Norman > Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)