You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Lorenzo Pirondini (Jira)" <ji...@apache.org> on 2021/07/07 11:44:00 UTC
[jira] [Resolved] (SLING-10591) Non latin characters can be used as
recursion level in JsonRenderer
[ https://issues.apache.org/jira/browse/SLING-10591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lorenzo Pirondini resolved SLING-10591.
---------------------------------------
Resolution: Duplicate
> Non latin characters can be used as recursion level in JsonRenderer
> -------------------------------------------------------------------
>
> Key: SLING-10591
> URL: https://issues.apache.org/jira/browse/SLING-10591
> Project: Sling
> Issue Type: Bug
> Components: Servlets
> Affects Versions: Servlets Get 2.1.44
> Reporter: Lorenzo Pirondini
> Priority: Major
> Attachments: unicode table.md
>
>
> in the JsonRenderer when the recursive value is parsed, it's indicated that it should be a real number and >= -1 i.e., [0-9]+ | -1.
> https://github.com/apache/sling-org-apache-sling-servlets-get/blob/3828946288f4a03cafdde1069e34fc2603ed056d/src/main/java/org/apache/sling/servlets/get/impl/helpers/JsonRenderer.java#L182
> it was found that other unicode number can be used such as `١` , `꧕` or `႙` .
> This has security implication in projects implementing Sling and trying to restrict access to the recursive selector.
>
> expected outcome:
> only numbers 0-9 and -1 can be used as numerical recursive selectors.
>
> full table of unicode that have been found working as recursive selectors
> [^unicode table.md]
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)