cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <>
Subject Re: variable substitution in @type attributes
Date Wed, 04 Feb 2004 15:40:36 GMT
Carsten Ziegeler wrote:

>I think one major point is security or more precise: to detect possible problems early
on. If you now use a wrong type information, which means address a component that doesn't
exist, you get an exception immediately on startup. So, you know very early that your application
is not correct.
>With a dynamic type attribute you defer this to a much later point which might be dangerous
as well and very hard to find.

Moreover, the use case shows a component type coming directly for the 
request URI, which is a giant door open to "component injection" by 
providing a value for the type that is not in the expected values and 
executes arbitrary code on the server.


Sylvain Wallez                                  Anyware Technologies 
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance  -

View raw message