[ https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191111#comment-13191111 ]
Jeff Young commented on SLING-2236: ----------------------------------- OK, one more attempt (and then I promise to shut up): Let's say the :operation -is- one the default servlet knows. In that case, it's going to report a 404. So, conceptually, in the "bad" operation case the default servlet sees two problems: we can't read the resource and we don't know what the operation is. There's nothing in the Sling contract which states that operation errors have precedence over read-access errors. (And, while this particular instance doesn't appear to have any exploitability, it would seem that in general you'd want to give read-access errors precedence in order to reduce the possibility of leaking "resource exists" information.) > Default POST servlet reports invalid operation when it should report 404 > ------------------------------------------------------------------------ > > Key: SLING-2236 > URL: https://issues.apache.org/jira/browse/SLING-2236 > Project: Sling > Issue Type: Bug > Components: Servlets > Reporter: Jeff Young > Priority: Minor > > In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look > up the operation (and report an unknown operation) before checking > privileges. I'd > like to propose that when the operation is not understood, we first check for > read access to the resource, and if unsuccessful, report that instead of > reporting > "invalid operation". > Here's the issue: say I define my own POST servlet which supports > :operation="foo". I set a sling:resourceType so that my POST servlet gets > invoked. All fine > and good. > Now someone without read access to the resource tries to do an > :operation="foo". Sling can't read the sling:resourceType (no read access), > and so invokes the > default POST servlet instead of my custom POST servlet. It looks up > :operation="foo" and reports "invalid operation" (which is pretty misleading). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira