cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: variable substitution in @type attributes
Date Wed, 04 Feb 2004 15:40:36 GMT
Carsten Ziegeler wrote:

>I think one major point is security or more precise: to detect possible problems early
on. If you now use a wrong type information, which means address a component that doesn't
exist, you get an exception immediately on startup. So, you know very early that your application
is not correct.
>
>With a dynamic type attribute you defer this to a much later point which might be dangerous
as well and very hard to find.
>  
>

Moreover, the use case shows a component type coming directly for the 
request URI, which is a giant door open to "component injection" by 
providing a value for the type that is not in the expected values and 
executes arbitrary code on the server.

Sylvain

-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance  -  http://www.orixo.com



Mime
View raw message