[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286185#comment-17286185
]
Eric Norman edited comment on SLING-10147 at 2/17/21, 10:44 PM:
----------------------------------------------------------------
[~kwin] Yes, that was my conclusion as well.
My first thought was the simple solution of using a reference to a
WebConsoleSecurityProvider service that implements the
WebConsoleSecurityProvider2 interface and call
WebConsoleSecurityProvider2#authenticate to do the validate the security
credentials. That works ok when that service exists, but if there is no such
service then the security checks become more complex and rely on the some
internal implementation details...
How would you feel about changing the request flow a bit, so the all the calls
from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin
servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that
sets some value as a request attribute and then forwards as a GET request for
processing the response? Then changes can be made to ensure that any request
to the SlingBindingsVariablesListJsonServlet that arrives without the expected
request attribute is rejected and 404 is returned (or use OptingServlet)?
was (Author: enorman):
[~kwin] Yes, that was my conclusion as well.
My first thought was the simple solution of using a reference to a
WebConsoleSecurityProvider service that implements the
WebConsoleSecurityProvider2 interface and call
WebConsoleSecurityProvider2#authenticate to do the validate the security
credentials. That works ok when that service exists, but if there is no such
service then the security checks become more complex and rely on the some
internal implementation details...
How would you feel about changing the request flow a bit, so the all the calls
from the "Scripting Variables" form are POSTed to the ScriptEngineConsolePlugin
servlet (which would flow though OsgiManagerHttpContext#handleSecurity) that
sets some value as a request attribute and then forwards as a GET request for
processing the response? Then changes can be made to ensure that any request
to the SlingBindingsVariablesListJsonServlet that arrives without the expected
request attribute is rejected and 404 is returned?
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
