cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 12:00:33 GMT
I have implemented a fix for that. Please see
http://marc.theaimsgroup.com/?l=xml-cocoon-dev&m=109768021416304&w=2
and http://issues.apache.org/bugzilla/show_bug.cgi?id=31676

The continuations get stored in session. This way the continuation can be 
resumed only for the same session.

Still waiting for the patch to be applied. It would be the best if user could 
choose a continuations manager implementation for build configuration.

	lg

Jeremy Quinn wrote:
> Hi Carsten,
> 
> I can concur.
> I found this out recently to my surprise, when I realised any sitemap 
> continuation handler (using a request parameter) would handle any 
> continuation it received, regardless of where it came from.
> It was actually useful to me at the time, but I had not considered the 
> security implications!!
> 
> regards Jeremy
> 
> On 15 Oct 2004, at 12:39, Carsten Ziegeler wrote:
> 
>> Today we came across a possible security problem when you use flow
>> script. We tested the following example with 2.1.5.1 and the
>> current 2.1.x branch. Here is a simple example:
>>
>> We have two areas in our web application, one is available for every
>> user and one area is only accessible for authenticated users.
>> We create two sub sitemaps - one for each area. Both are using
>> flow with different scripts. The second sitemap is protected
>> by using the authentication framework (how the authentication
>> is done is actually not important).
>> In each sitemap we have a matcher for the continuation id:
>>
>> Sitemap for global area:
>>  - mounted at /global
>>  - flowscript global.js
>>  - matcher for continuation id
>>    <map:match pattern="continue.*">
>>        <map:call continuation="{1}"/>
>>    </map:match>
>>
>> Sitemap for protected area:
>>  - mounted at /protected
>>  - flowscript protected.js
>>  - matcher for continuation id
>>    <map:match pattern="*.cont">
>>        <map:call continuation="{1}"/>
>>    </map:match>
>>
>> Now, if someone is able to pick up a valid continuation id for the 
>> protected
>> area, it is possible to continue the flow script in "protected.js" by
>> calling: "/global/continue.CONT_ID".
>> Which means there isn't any further check, if the continuation id belongs
>> to the sitemap or to the used javascripts in that sitemap.
>> And flow is able to continue the script without any problems.
>>
>> So it seems that it would be good if we would have some further checks.
>> I think, it would be good if flow would check if the continuation id
>> belongs to the sitemap where the map:call is performed. Currently the
>> ids are global and not on a per sitemap level.
>> Or we store the continuations in the session. Or?
>>
>>
>> Carsten
>>
>> Carsten Ziegeler
>> Open Source Group, S&N AG
>> http://www.s-und-n.de
>> http://www.osoco.net/weblogs/rael/
>>
>>
> --------------------------------------------------------
> 
>                   If email from this address is not signed
>                                 IT IS NOT FROM ME
> 
>                         Always check the label, folks !!!!!
> --------------------------------------------------------
> 


-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message