cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 12:25:32 GMT
Torsten Curdt wrote:
>> Today we came across a possible security problem when you use flow
>> script. We tested the following example with 2.1.5.1 and the
>> current 2.1.x branch. Here is a simple example:
>>
>> We have two areas in our web application, one is available for every
>> user and one area is only accessible for authenticated users.
>> We create two sub sitemaps - one for each area. Both are using
>> flow with different scripts. The second sitemap is protected
>> by using the authentication framework (how the authentication
>> is done is actually not important).
> 
> 
> ...but that *is* important: if you would be using a flow based
> authentication mechanism this is not a problem at all.
> 
> 
>> So it seems that it would be good if we would have some further checks.
>> I think, it would be good if flow would check if the continuation id
>> belongs to the sitemap where the map:call is performed. Currently the
>> ids are global and not on a per sitemap level.
> 
> 
> We could create a continuation manager per sitemap. ...but
> I am not really sure whether this is a good idea to make
> this the default.
Is there a possibility to attach some "attributes" to sitemap? I mean for 
example continuations holder?

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message