[jira] [Commented] (SLING-10147) scripting variables implementation details are exposed to not authorized users

Sun, 28 Feb 2021 09:16:05 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292447#comment-17292447
 ] 

Eric Norman commented on SLING-10147:
-------------------------------------

{quote}So, all references to the webconsole API must be optional to allow 
scripting core to be usable without the web console being installed.
{quote}
All the references to the webconsole API were already optional in 
scripting.core, the proposed changes don't change that at all. 

My impression is that if the ScriptingVariablesConsolePlugin is not accessible 
due to the webconsole not being deployed or the user not having permissions to 
access it, then the SlingBindingsVariablesListJsonServlet should not be 
accessible either since the only use case is being called from the 
ScriptingVariablesConsolePlugin UI.

 
{quote}Wouldn't it make more sense to have the servlet as a plugin in the web 
console and then use a service user to fetch resources - similar to what the 
plugin for the resource resolver does?
{quote}
The reason for why SlingBindingsVariablesListJsonServlet requires a real Sling 
Servlet Request was already litigated and resolved when it was introduced with  
SLING-3543 and perhaps redoing that discussion is out of scope here?

> scripting variables implementation details are exposed to not authorized users
> ------------------------------------------------------------------------------
>
>                 Key: SLING-10147
>                 URL: https://issues.apache.org/jira/browse/SLING-10147
>             Project: Sling
>          Issue Type: Bug
>            Reporter: Eric Norman
>            Assignee: Eric Norman
>            Priority: Major
>             Fix For: Scripting Core 2.3.6
>
>          Time Spent: 5h 10m
>  Remaining Estimate: 0h
>
> The ".SLING_availablebindings.json" selector is registered at 
> /apps/sling/servlet/default and the usage on all resources is not protected 
> by any security checks.  The information returned contains implementation 
> details that a regular user should not need to know and could be considered 
> an "information disclosure" vulnerability.
> Since this selector appears to only be used by the "Scripting Variables" 
> webconsole plugin, I would expect that it should require the same security 
> checking that would be needed to access the webconsole.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to