[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292111#comment-17292111 ]
Konrad Windszus commented on SLING-10147: ----------------------------------------- bq. I think you are creating a tight dependency to the web console here This is the whole point of this issue, the servlet should only be usable from the web console and from nowhere else bq. how do you want to express the dependency? This service reference expresses the dependency: https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7/files#diff-ac2aaf6487dcf3676032acfd1213e3de141e8bae45500ea1367d2b34d4c6f714R79. It is optional though to improve the error message in case the service is not there! > scripting variables implementation details are exposed to not authorized users > ------------------------------------------------------------------------------ > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug > Reporter: Eric Norman > Assignee: Eric Norman > Priority: Major > Fix For: Scripting Core 2.3.6 > > Time Spent: 4.5h > Remaining Estimate: 0h > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)