subject:"\[jira\] \[Comment Edited\] \(SLING\-12093\) ResourceResolver.getAttribute\(...\) might return sensitive information"

[jira] [Comment Edited] (SLING-12093) ResourceResolver.getAttribute(...) might return sensitive information

2023-10-12 Thread Konrad Windszus (Jira)



[ 
https://issues.apache.org/jira/browse/SLING-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774572#comment-17774572
 ] 

Konrad Windszus edited comment on SLING-12093 at 10/12/23 3:24 PM:
---

That may cause regressions as currently (almost) all authentication info is 
exposed irrespective of the underlying providers.


was (Author: kwin):
That may cause regressions as currently all authentication info is exposed 
irrespective of the underlying providers.

> ResourceResolver.getAttribute(...) might return sensitive information
> -
>
> Key: SLING-12093
> URL: https://issues.apache.org/jira/browse/SLING-12093
> Project: Sling
>  Issue Type: Improvement
>  Components: ResourceResolver
>Affects Versions: Resource Resolver 1.11.0
>Reporter: Konrad Windszus
>Priority: Major
>
> The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute 
> from either
> - the underlying resource provider or
> - the authentication info passed to the factory
> In addition it filters out some attributes supposed to contain sensitive 
> information 
> (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
> Although there is some JCR specific authentication info filtered in 
> https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
>  this is not-effective as the authentication info is retrieved without 
> consulting any resource provider. 
> This affects the attribute {{user.jcr.credentials}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (SLING-12093) ResourceResolver.getAttribute(...) might return sensitive information

2023-10-12 Thread Konrad Windszus (Jira)



[ 
https://issues.apache.org/jira/browse/SLING-12093?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17774596#comment-17774596
 ] 

Konrad Windszus edited comment on SLING-12093 at 10/12/23 4:15 PM:
---

It basically boils down to the question what should be the default (if not 
overwritten by the provider). Either a) filter nothing or b) filter everything 
(from authentication info). I would go for a) but allow the resource provider 
to overwrite this rule. Then we can at least for the JCR resource provider 
exclude all sensitive attributes.


was (Author: kwin):
It basically boils down to the question what should be the default (if not 
overwritten by the provider). Either a) filter nothing or b) filter everything 
(from authentication info). I would go for a) but allow the resource provider 
to filter. Then we can at least for the JCR resource provider exclude all 
sensitive attributes.

> ResourceResolver.getAttribute(...) might return sensitive information
> -
>
> Key: SLING-12093
> URL: https://issues.apache.org/jira/browse/SLING-12093
> Project: Sling
>  Issue Type: Improvement
>  Components: ResourceResolver
>Affects Versions: Resource Resolver 1.11.0
>Reporter: Konrad Windszus
>Priority: Major
>
> The method {{ResourceResolver.getAttribute(...)}} retrieves a named attribute 
> from either
> - the underlying resource provider or
> - the authentication info passed to the factory
> In addition it filters out some attributes supposed to contain sensitive 
> information 
> (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)
> Although there is some JCR specific authentication info filtered in 
> https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676,
>  this is not-effective as the authentication info is retrieved without 
> consulting any resource provider. 
> This affects the attribute {{user.jcr.credentials}}.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (SLING-12093) ResourceResolver.getAttribute(...) might return sensitive information

[jira] [Comment Edited] (SLING-12093) ResourceResolver.getAttribute(...) might return sensitive information

2 matches

Site Navigation

Mail list logo

Footer information