Return-Path: 
 <dev-return-47177-apmail-cocoon-dev-archive=cocoon.apache.org@cocoon.apache.org>
Delivered-To: apmail-cocoon-dev-archive@www.apache.org
Received: (qmail 8324 invoked from network); 1 Sep 2003 12:30:25 -0000
Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 1 Sep 2003 12:30:25 -0000
Received: (qmail 23006 invoked by uid 500); 1 Sep 2003 12:30:17 -0000
Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org
Received: (qmail 22874 invoked by uid 500); 1 Sep 2003 12:30:15 -0000
Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@cocoon.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@cocoon.apache.org>
list-post: <mailto:dev@cocoon.apache.org>
Reply-To: dev@cocoon.apache.org
Delivered-To: mailing list dev@cocoon.apache.org
Received: (qmail 22847 invoked from network); 1 Sep 2003 12:30:15 -0000
Received: from unknown (HELO office.oilspace.com) (213.219.58.70)
  by daedalus.apache.org with SMTP; 1 Sep 2003 12:30:15 -0000
Received: from kpiroumian (ns.informtek.com.ru [195.239.59.130])
	by office.oilspace.com (Postfix) with SMTP id 69C346D36F
	for <dev@cocoon.apache.org>; Mon,  1 Sep 2003 13:30:11 +0100 (BST)
Message-ID: <090401c37084$d955d1e0$d767a8c0@kpiroumian>
From: "Konstantin Piroumian" <kpiroumian@apache.org>
To: <dev@cocoon.apache.org>
References: <3F530D3E.609@outerthought.org>
 <08c801c37074$54781920$d767a8c0@kpiroumian>
 <3F5324B2.4090806@outerthought.org>
Subject: Re: Lenient Woody Binding
Date: Mon, 1 Sep 2003 16:30:36 +0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

From: "Marc Portier" <mpo@outerthought.org>
> Konstantin Piroumian wrote:
> > From: "Marc Portier" <mpo@outerthought.org>
> >
> >>Hi all,
> >>
> >>
...
> >
> > There is also an option to use:
> >
> > context.createPathAndSetValue("address/zipCode", "90190");
> >
>
> nice to know!
>
>
> > to avoid NPEs or setting the lenient mode. This way you can be sure that
the
> > specified path will be created and the value is set to it. Though, I'm
not
> > sure if it's a good idea from security POV.
>
> why would you think it harms security?

Don't know how Woodie works, but if you use automatic binding then it's
possible that the user could send parameters like this:

/user/permissions=MyNewPermission

or something like that and modify things that he should not be able to touch
normally. Not sure if this is a good example, but anyway I don't like the
idea of allowing the user to create and set any desired values.

-- Konstantin