[
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292111#comment-17292111
]
Konrad Windszus commented on SLING-10147:
-----------------------------------------
bq. I think you are creating a tight dependency to the web console here
This is the whole point of this issue, the servlet should only be usable from
the web console and from nowhere else
bq. how do you want to express the dependency?
This service reference expresses the dependency:
https://github.com/apache/sling-org-apache-sling-scripting-core/pull/7/files#diff-ac2aaf6487dcf3676032acfd1213e3de141e8bae45500ea1367d2b34d4c6f714R79.
It is optional though to improve the error message in case the service is not
there!
> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
> Key: SLING-10147
> URL: https://issues.apache.org/jira/browse/SLING-10147
> Project: Sling
> Issue Type: Bug
> Reporter: Eric Norman
> Assignee: Eric Norman
> Priority: Major
> Fix For: Scripting Core 2.3.6
>
> Time Spent: 4.5h
> Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at
> /apps/sling/servlet/default and the usage on all resources is not protected
> by any security checks. The information returned contains implementation
> details that a regular user should not need to know and could be considered
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables"
> webconsole plugin, I would expect that it should require the same security
> checking that would be needed to access the webconsole.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
