cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konstantin Piroumian" <kpiroum...@apache.org>
Subject Re: Lenient Woody Binding
Date Mon, 01 Sep 2003 12:30:36 GMT
From: "Marc Portier" <mpo@outerthought.org>
> Konstantin Piroumian wrote:
> > From: "Marc Portier" <mpo@outerthought.org>
> >
> >>Hi all,
> >>
> >>
...
> >
> > There is also an option to use:
> >
> > context.createPathAndSetValue("address/zipCode", "90190");
> >
>
> nice to know!
>
>
> > to avoid NPEs or setting the lenient mode. This way you can be sure that
the
> > specified path will be created and the value is set to it. Though, I'm
not
> > sure if it's a good idea from security POV.
>
> why would you think it harms security?

Don't know how Woodie works, but if you use automatic binding then it's
possible that the user could send parameters like this:

/user/permissions=MyNewPermission

or something like that and modify things that he should not be able to touch
normally. Not sure if this is a good example, but anyway I don't like the
idea of allowing the user to create and set any desired values.

-- Konstantin



Mime
View raw message