cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin Green" <gree...@hotmail.com>
Subject Re: [Cocoon 1.8] ProducerFromRequest revisited
Date Thu, 12 Oct 2000 21:40:24 GMT
"Clinton, Doug" <dclinton@tanning.com> wrote:
>Cristophe Maligorne posted a message about this problem back in September
>but I didn't see a satisfactory followup to his message.

I did a general follow up, several times in fact, not necessarily 
specifically to Cristophe but to everyone. It's now in the FAQ under "site 
architecture issues".

I assume you're calling Cocoon from a servlet. If you are, you shouldn't 
allow anyone to pass in anything to Cocoon and have it executed, which is 
exactly what the ProducerFromRequest class did. However, as Uli points out, 
it's not impossible to secure such a system (add IP verification etc.). The 
important point is that the default setting in cocoon.properties was 
seriously insecure, so we took it out - and took the class out too to force 
people to update their cocoon.properties files (Cocoon won't run if a 
non-existent producer is referenced in there).

But I'm confused about what your setup is doing - see below.

>
>The problem is that ProducerFromRequest was removed from Cocoon at version
>1.8 (due to security problems with it, as I understand it).  However, in
>EngineWrapper.java there is this method:
>
>         public String getParameter(String name) {
>             if ((document != null) &&  
>(name.equalsIgnoreCase("producer")))
>{
>                 return "org.apache.cocoon.producer.ProducerFromRequest";
>             } else {
>                 return null;
>             }
>         }
>
>When I try to use Cocoon 1.8 with Tomcat (3.2 beta 6) it bombs out in
>ProducerFactory complaining that it can't load ProducerFromRequest, so
>something is clearly calling this getParameter method and trying to create 
>a
>producer from it.

You're right, that's a bug. The other bug is that the CocoonFromServlet 
example depends on it.

>
>I have worked around this by changing getParameter to return
>"org...ProducerFromFile" instead of "ProducerFromRequest" and that seems to
>work for the simple tests that I've tried. However, I was hoping to get a
>more definitive answer on the issue.

Odd. The two do completely different things. You must have the same XML file 
both on disc and in the request, right? Which is certainly inefficient.


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.


Mime
View raw message