You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2023/05/06 10:26:00 UTC

[jira] [Resolved] (SLING-3379) OptingServlet accepts method bypassed

     [ https://issues.apache.org/jira/browse/SLING-3379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler resolved SLING-3379.
-------------------------------------
    Resolution: Won't Fix

> OptingServlet accepts method bypassed
> -------------------------------------
>
>                 Key: SLING-3379
>                 URL: https://issues.apache.org/jira/browse/SLING-3379
>             Project: Sling
>          Issue Type: Bug
>          Components: Servlets
>            Reporter: Anthony Rumsey
>            Priority: Major
>
> It is possible for the accepts method of the OptingServlet interface to be bypassed under certain conditions.
> For example consider a servlet called MyServlet that has a resourceType of "myapp/components/foo” and allows the POST method with a selector of “bar”.  This servlet also implements the OptingServlet interface and has an ‘accepts’ method that checks the extension on the request.
> During some security testing I discovered that when I give a node a sling:resourceType of "myapp/components/foo.POST.servlet”, I can POST to this node with no selector and any extension I want which will still resolve to the MyServlet but not call the “accepts” method from the OptingServlet interface and goes directly to the doPost method.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)