hi all
On Fri, May 4, 2012 at 5:18 AM, Chetan Mehrotra
<[email protected]> wrote:
...Let me know if any other change is required from my side for this
feature
to be included in Sling...
I haven't looked in detail yet, but IIUC your service allows arbitrary
code to be executed from a POST request (which is cool in the context
of testing that I saw in your example).
FWIW, I consider this a non-issue. The web console already allows for
arbitrary code execution by installing a bundle :)
it depends on what exactly is the nature the service. if it was only
accessible to the same privileged users that have access to the web
console, you are right. however, if this leads to a privilege
escalation for what ever reason, it definitely is a security issue.
kind regards
angela
Justin
As that can be a security risk, maybe it would be good to have some
form of warning, that people must be aware of the implications if
enabling that service? Maybe just a WARN log message at activation
time, or something similar that reasonable users shouldn't ignore.
-Bertrand
