cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylvain.wal...@anyware-tech.com>
Subject Re: Lenient Woody Binding
Date Mon, 01 Sep 2003 16:12:02 GMT
Konstantin Piroumian wrote:

>From: "Marc Portier" <mpo@outerthought.org>
>  
>
>>Konstantin Piroumian wrote:
>>    
>>
>>>From: "Marc Portier" <mpo@outerthought.org>
>>>      
>>>
>>>>Hi all,
>>>>        
>>>>
>...
>  
>
>>>There is also an option to use:
>>>
>>>context.createPathAndSetValue("address/zipCode", "90190");
>>>      
>>>
>>nice to know!
>>    
>>
>>>to avoid NPEs or setting the lenient mode. This way you can be sure that the specified
path will be created and the value is set to it. Though, I'm not sure if it's a good idea
from security POV.
>>>      
>>>
>>why would you think it harms security?
>>    
>>
>
>Don't know how Woodie works, but if you use automatic binding then it's
>possible that the user could send parameters like this:
>
>/user/permissions=MyNewPermission
>
>or something like that and modify things that he should not be able to touch
>normally. Not sure if this is a good example, but anyway I don't like the
>idea of allowing the user to create and set any desired values.
>

This is a security hole that exists in XMLForm/JXForm but not in Woody :
- XMLForm/JXForm iterates on request parameters and tries to use them as 
XPath expressions thus allowing any modification of the business model
- Woody traverses the form definition and each form widget gets its 
corresponding request parameter. It's therefore not possible to modify 
the business model in a way that is not allowed by the form by injecting 
additional request parameters.

Sylvain

-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance  -  http://www.orixo.com



Mime
View raw message