sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bertrand Delacretaz <bdelacre...@apache.org>
Subject Re: New "capabilities" module, feedback welcome
Date Thu, 21 Jun 2018 13:28:58 GMT
Hi,

On Wed, Jun 20, 2018 at 9:47 PM Eugen Stan <ieugen@netdava.com> wrote:
> On 20.06.2018 19:02, Eric Norman wrote:
> >... It seems to me that there a risk that this endpoint could leave the system
> > vulnerable to an information disclosure attack.
> >
> I was thinking the same thing. I think this should be protected and of
> course the risks of exposing this endpoint should be documented. ..

You are right!

I think we have discussed a few times how to restrict the execution of
certain servlets like this one, as currently any user who can create a
node with the sling/capabilities resource type can get access to that
information.

But we didn't come to a firm conclusion AFAIR.

To prevent this I can use a "shadow permissions resource" at a
configurable path, defaulting to
/libs/sling/permissions/capabilities/read

The CapabilitiesServlet can then require that resource to be present
and readable by the current user, and return a 403 Forbidden status if
not.

How does that sound?

If people like this idea we might document it as a recommended pattern
for such cases.

-Bertrand

Mime
View raw message