[ https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17029771#comment-17029771 ]
Julian Reschke commented on SLING-9043: --------------------------------------- I think testing with curl is misleading; you really need to test with the request as sent from a browser. > COPY should be in the referer filter's default list of protected HTTP methods > ----------------------------------------------------------------------------- > > Key: SLING-9043 > URL: https://issues.apache.org/jira/browse/SLING-9043 > Project: Sling > Issue Type: Bug > Components: Resource Access Security > Reporter: Sonal Gupta > Priority: Major > Labels: vulnerability > > The COPY method , by default, is not in the list of methods covered by the > CSRF Referer filter. This might allow an attacker to copy files (abusing the > privileges of a logged in victim) using CSRF. -- This message was sent by Atlassian Jira (v8.3.4#803005)