[ https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17027228#comment-17027228 ]
Julian Reschke commented on SLING-9043: --------------------------------------- Not convinced, that COPY is actually a problem. Also, if COPY is, MOVE would be, too, right? > COPY should be in the referer filter's default list of protected HTTP methods > ----------------------------------------------------------------------------- > > Key: SLING-9043 > URL: https://issues.apache.org/jira/browse/SLING-9043 > Project: Sling > Issue Type: Bug > Components: Resource Access Security > Reporter: Sonal Gupta > Priority: Major > Labels: vulnerability > > The COPY method , by default, is not in the list of methods covered by the > CSRF Referer filter. This might allow an attacker to copy files (abusing the > privileges of a logged in victim) using CSRF. -- This message was sent by Atlassian Jira (v8.3.4#803005)