You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Felix Meschberger (JIRA)" <ji...@apache.org> on 2009/07/02 09:18:47 UTC

[jira] Updated: (SLING-989) scripts in /apps are read by user session, this leads to security problem

     [ https://issues.apache.org/jira/browse/SLING-989?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Felix Meschberger updated SLING-989:
------------------------------------

          Component/s: Scripting
    Affects Version/s: Scripting Core 2.0.4

> scripts in /apps are read by user session, this leads to security problem
> -------------------------------------------------------------------------
>
>                 Key: SLING-989
>                 URL: https://issues.apache.org/jira/browse/SLING-989
>             Project: Sling
>          Issue Type: Bug
>          Components: Scripting
>    Affects Versions: Scripting Core 2.0.4
>            Reporter: Michael Marth
>
> At the moment the user session is used to read the scripts stored in /apps. Most web apps have some anonymous users as well, therefore the ACLs of /apps must allow read access of the /apps directory. Hence, all scripts within /apps are readable by anyone.
> I suggest to allow the Sling administrator to configure which session to use when the scripts are read. He could choose the admin session or stick with the default (the user's session).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.