[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292447#comment-17292447 ]
Eric Norman commented on SLING-10147: ------------------------------------- {quote}So, all references to the webconsole API must be optional to allow scripting core to be usable without the web console being installed. {quote} All the references to the webconsole API were already optional in scripting.core, the proposed changes don't change that at all. My impression is that if the ScriptingVariablesConsolePlugin is not accessible due to the webconsole not being deployed or the user not having permissions to access it, then the SlingBindingsVariablesListJsonServlet should not be accessible either since the only use case is being called from the ScriptingVariablesConsolePlugin UI. {quote}Wouldn't it make more sense to have the servlet as a plugin in the web console and then use a service user to fetch resources - similar to what the plugin for the resource resolver does? {quote} The reason for why SlingBindingsVariablesListJsonServlet requires a real Sling Servlet Request was already litigated and resolved when it was introduced with SLING-3543 and perhaps redoing that discussion is out of scope here? > scripting variables implementation details are exposed to not authorized users > ------------------------------------------------------------------------------ > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug > Reporter: Eric Norman > Assignee: Eric Norman > Priority: Major > Fix For: Scripting Core 2.3.6 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)