It seems to me that there a risk that this endpoint could leave the system vulnerable to an information disclosure attack.
This is the kind of data that would be useful in refining an attack on the server. Regards, Eric On Wed, Jun 20, 2018, 7:09 AM Robert Munteanu <[email protected]> wrote: > Hi Bertrand, > > On Wed, 2018-06-20 at 15:38 +0200, Bertrand Delacretaz wrote: > > Hi, > > > > I've been working on a (very simple) module to create a > > "capabilities" > > endpoint, where a Sling instance can let HTTP clients know about its > > version levels, presence or absence of certain services etc. > > > > It's at https://github.com/apache/sling-whiteboard/tree/master/capabi > > lities > > and if no one is opposed I'll move it to its own module and make a > > first release later this week. > > > > Feedback is welcome. > > I took a look and it's nice and compact, I like it :-) > > My single note is that the CapabilitiesSource's javadoc says that "(the > capability) name must be unique in a given Sling instance.". I don't > see this enforced or at least checked + logged anywhere. Do you plan to > introduce that? > > Thanks, > > Robert >
