cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antonio Gallardo" <agalla...@agssa.net>
Subject Re: Possible security problem with flowscript
Date Sat, 16 Oct 2004 22:21:43 GMT
Leszek Gawron dijo:
> Niklas Eklund wrote:
>> Rob Berens wrote:
>>
>>> Carsten Ziegeler wrote:
>>>
>>>> Hmm, I might be wrong, but does this really protect you?
>>>> If you have a flow that is usable by not authenticated users,
>>>> you run into the same problem I think.
>>>>
>>>
>>> I see, you are right. A unauthorized user can get access to the
>>> continuation
>>> by adding the continuation parameter to another request he is
>>> authorized
>>> for.
>>
>>
>> I have solved a similar problem in an application by using a wrapped
>> sendPage() like:
>>
>> function w_sendPage(x, y, z) {
>>   var currentUser = getCurrUser(); // userPrincipal/remoteUser/whatever
>>   sendPage(x, y, z);
>>   if (currentUser != getCurrUser()) {
>>      throw "Bad boy!";
>>   }
>> }
> It's nice but does not work for cforms.

I think you mean, when you are inside the cforms (while the user do the
second cform request to validate de user data.... please see this pieces
of code. We use something very similar in flow:

function createform(form) {
    if (authorise("resourceName")) {
        form.showForm("my-form-display");
    }
}

On the sitemap we use to put everything inside an internal pipeline and
just one "external" pipeline:

<map:pipeline>
  <map:match pattern="*">
    <map:call function="protect">
      <map:parameter name="handler" value="authhandler"/>
      <map:parameter name="protected-internal" value="{1}"/>
      <map:parameter name="failure-redirect" value="/entrada?resource={1}"/>
    </map:call>
  </map:match>
</map:pipeline>

Note that what everthing that is coming in is checked.


Of course that if the session is also hijacket it will not work too. But I
think this is another story..... ;-)

...Maybe, we can add a user validation handler inside the cforms. But this
solution (at first sight) is not too "clean" to my taste. Because we need
to write validation handler for each form => more boring code :( I don't
like that at all!

...This works for us. But I think we need to test that in the Carsten
case. I think it could past the test.

Best Regards,

Antonio Gallardo

Mime
View raw message