[jira] [Commented] (SLING-4415) :applyTo should not display changeLog (when operation fails)

Fri, 24 Apr 2015 04:59:16 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-4415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14510911#comment-14510911
 ] 

Antonio Sanso commented on SLING-4415:
--------------------------------------

in order to reproduce:

* Create an user with username/password test/test and do not give any permission
* Assume that a folder /libs exist with several subfolders (e.g. with the first 
one being sling)
* launch this command

{code}
curl -v -F":operation=delete" -F":applyTo=/libs/*" -u test:test 
http://localhost:4502
{code}

The response leaks information

{code}
< HTTP/1.1 100 Continue
< HTTP/1.1 500 Server Error
< Date: Fri, 24 Apr 2015 12:08:32 GMT
< X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
* Server Jetty(9.2.9.v20150224) is not blacklisted
< Server: Jetty(9.2.9.v20150224)
< X-Powered-By: Jetty(9.2.9.v20150224)
* HTTP error before end of send, stop sending
< 
<html>
<head>
    <title>Error while processing /</title>
</head>
    <body>
    <h1>Error while processing /</h1>
    <table>
        <tbody>
            <tr>
                <td>Status</td>
                <td><div id="Status">500</div></td>
            </tr>
            <tr>
                <td>Message</td>
                <td><div id="Message">javax.jcr.RepositoryException: 
org.apache.sling.api.resource.PersistenceException: Unable to delete resource 
at /libs/sling. Resource does not exist.</div></td>
            </tr>
            <tr>
                <td>Location</td>
                <td><a href="/" id="Location">/</a></td>
            </tr>
            <tr>
                <td>Parent Location</td>
                <td><a href="" id="ParentLocation"></a></td>
            </tr>
            <tr>
                <td>Path</td>
                <td><div id="Path">/</div></td>
            </tr>
            <tr>
                <td>Referer</td>
                <td><a href="" id="Referer"></a></td>
            </tr>
            <tr>
                <td>ChangeLog</td>
                <td><div id="ChangeLog">&lt;pre&gt;&lt;/pre&gt;</div></td>
            </tr>
        </tbody>
    </table>
    <p><a href="">Go Back</a></p>
    <p><a href="/">Modified Resource</a></p>
    <p><a href="">Parent of Modified Resource</a></p>
    </body>

{code}


> :applyTo should not display changeLog (when operation fails)
> ------------------------------------------------------------
>
>                 Key: SLING-4415
>                 URL: https://issues.apache.org/jira/browse/SLING-4415
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>    Affects Versions: Servlets Post 2.3.6
>            Reporter: Lars Krapf
>            Assignee: Antonio Sanso
>
> When the :applyTo operation fails the change-log leaks information about the 
> internal path-structure even when the requesting session does not have access 
> to these paths. 
> One solution would be to completely omit the ChangeLog (at least when the 
> operation fails), another option would be to make the :sendError behaviour 
> configurable in the POST servlet, so that the error message can be reliably 
> overlaid.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to