[jira] [Commented] (SLING-2236) Default POST servlet reports invalid operation when it should report 404

Mon, 23 Jan 2012 03:03:06 -0800 

    [ 
https://issues.apache.org/jira/browse/SLING-2236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13191111#comment-13191111
 ] 

Jeff Young commented on SLING-2236:
-----------------------------------

OK, one more attempt (and then I promise to shut up):

Let's say the :operation -is- one the default servlet knows.  In that case, 
it's going to report a 404.  

So, conceptually, in the "bad" operation case the default servlet sees two 
problems: we can't read the resource and we don't know what the operation is.  
There's nothing in the Sling contract which states that operation errors have 
precedence over read-access errors.  (And, while this particular instance 
doesn't appear to have any exploitability, it would seem that in general you'd 
want to give read-access errors precedence in order to reduce the possibility 
of leaking "resource exists" information.)
                
> Default POST servlet reports invalid operation when it should report 404
> ------------------------------------------------------------------------
>
>                 Key: SLING-2236
>                 URL: https://issues.apache.org/jira/browse/SLING-2236
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>            Reporter: Jeff Young
>            Priority: Minor
>
> In sling/servlets/post/impl/SlingPostServlet.java's doPost() method, we look 
> up the operation (and report an unknown operation) before checking 
> privileges.  I'd 
> like to propose that when the operation is not understood, we first check for 
> read access to the resource, and if unsuccessful, report that instead of 
> reporting
> "invalid operation".
> Here's the issue: say I define my own POST servlet which supports 
> :operation="foo".  I set a sling:resourceType so that my POST servlet gets 
> invoked.  All fine 
> and good.
> Now someone without read access to the resource tries to do an 
> :operation="foo".  Sling can't read the sling:resourceType (no read access), 
> and so invokes the
> default POST servlet instead of my custom POST servlet.  It looks up 
> :operation="foo" and reports "invalid operation" (which is pretty misleading).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to