cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Dumon <br...@outerthought.org>
Subject Re: Lenient Woody Binding
Date Mon, 01 Sep 2003 16:23:34 GMT
On Mon, 2003-09-01 at 18:12, Sylvain Wallez wrote:
> Konstantin Piroumian wrote:
> 
> >From: "Marc Portier" <mpo@outerthought.org>
> >  
> >
> >>Konstantin Piroumian wrote:
> >>    
> >>
> >>>From: "Marc Portier" <mpo@outerthought.org>
> >>>      
> >>>
> >>>>Hi all,
> >>>>        
> >>>>
> >...
> >  
> >
> >>>There is also an option to use:
> >>>
> >>>context.createPathAndSetValue("address/zipCode", "90190");
> >>>      
> >>>
> >>nice to know!
> >>    
> >>
> >>>to avoid NPEs or setting the lenient mode. This way you can be sure that
the specified path will be created and the value is set to it. Though, I'm not sure if it's
a good idea from security POV.
> >>>      
> >>>
> >>why would you think it harms security?
> >>    
> >>
> >
> >Don't know how Woodie works, but if you use automatic binding then it's
> >possible that the user could send parameters like this:
> >
> >/user/permissions=MyNewPermission

or even better, since from JXPath you can call static methods:
"System.exit(0)" :-)

> >
> >or something like that and modify things that he should not be able to touch
> >normally. Not sure if this is a good example, but anyway I don't like the
> >idea of allowing the user to create and set any desired values.
> >
> 
> This is a security hole that exists in XMLForm/JXForm but not in Woody :
> - XMLForm/JXForm iterates on request parameters and tries to use them as 
> XPath expressions thus allowing any modification of the business model
> - Woody traverses the form definition and each form widget gets its 
> corresponding request parameter. It's therefore not possible to modify 
> the business model in a way that is not allowed by the form by injecting 
> additional request parameters.
> 
> Sylvain
-- 
Bruno Dumon                             http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno@outerthought.org                          bruno@apache.org


Mime
View raw message