[SLING-12093] ResourceResolver.getAttribute(...) might return sensitive information - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: Resource Resolver 1.11.0
Fix Version/s: None
Component/s: ResourceResolver
Labels:
None

Description

The method ResourceResolver.getAttribute(...) retrieves a named attribute from either

the underlying resource provider or
the authentication info passed to the factory

In addition it filters out some attributes supposed to contain sensitive information (https://github.com/apache/sling-org-apache-sling-resourceresolver/blob/d9e90e455c0f71e84414bb09c83d7e678f1a788e/src/main/java/org/apache/sling/resourceresolver/impl/helper/ResourceResolverControl.java#L400)

Although there is some JCR specific authentication info filtered in https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/685c50921085941f4cbb1a3ccdbf90bad0605527/src/main/java/org/apache/sling/jcr/resource/internal/helper/jcr/JcrResourceProvider.java#L676, this is not-effective as the authentication info is retrieved without consulting any resource provider.

This affects the attribute user.jcr.credentials.

Attachments

Issue Links

is broken by

SLING-4750 New Resource Provider API

Closed

is related to

SLING-11723 Expose more authentication information from ResourceResolver

In Progress

Activity

People

Assignee:: Unassigned

Reporter:: Konrad Windszus

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/Oct/23 13:32

Updated:: 16/Oct/23 18:06