You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Stefan Seifert (JIRA)" <ji...@apache.org> on 2017/03/24 15:44:41 UTC
[jira] [Commented] (SLING-6708) Sling Dynamic Include - Usage of
nocache selector allows uncached access to everything
[ https://issues.apache.org/jira/browse/SLING-6708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940587#comment-15940587 ]
Stefan Seifert commented on SLING-6708:
---------------------------------------
not sure what should be fixed inside sling or SDI for this issue.
you can always make the pattern more explicit in your webserver configuration and let only requests pass to URLs where you expect and allow it.
> Sling Dynamic Include - Usage of nocache selector allows uncached access to everything
> --------------------------------------------------------------------------------------
>
> Key: SLING-6708
> URL: https://issues.apache.org/jira/browse/SLING-6708
> Project: Sling
> Issue Type: Bug
> Components: Extensions
> Affects Versions: Dynamic Include 3.0.0, Dynamic Include 3.0.2
> Reporter: Henry Kuijpers
> Priority: Blocker
>
> The SDI module works with a nocache-selector (or a selector that we arbitrarily choose).
> However, we cannot guarantee that only SDI's requests come in through the nocache-selector. It can be any request.
> This document says https://github.com/Cognifide/Sling-Dynamic-Include
> that we should configure the Dispatcher to not cache when {code}*.nocache.html*{code} can be applied to the request.
> This means that anyone can use the nocache-selector on any request to bypass Dispatcher caching for html files.
> It even means that ".nocache.html" can appear anywhere in the full request URL.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)