cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Gritsenko <va...@reverycodes.com>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 12:45:56 GMT 
Torsten Curdt wrote:
>> Today we came across a possible security problem when you use flow
>> script. We tested the following example with 2.1.5.1 and the
>> current 2.1.x branch. Here is a simple example:
>>
>> We have two areas in our web application, one is available for every
>> user and one area is only accessible for authenticated users.
>> We create two sub sitemaps - one for each area. Both are using
>> flow with different scripts. The second sitemap is protected
>> by using the authentication framework (how the authentication
>> is done is actually not important).
> 
> 
> ...but that *is* important: if you would be using a flow based
> authentication mechanism this is not a problem at all.
> 
> 
>> So it seems that it would be good if we would have some further checks.
>> I think, it would be good if flow would check if the continuation id
>> belongs to the sitemap where the map:call is performed. Currently the
>> ids are global and not on a per sitemap level.
> 
> 
> We could create a continuation manager per sitemap. ...but
> I am not really sure whether this is a good idea to make
> this the default.
> 
>> Or we store the continuations in the session. Or?

Tying the continuations to the session is not good idea as well. For two reasons:
  * Flow does not require session - so session might not be there
  * Session can be hijacked as easily as continuation:
      http://a.b.c/some/page;jsessionID=1234567890

Even tying continuations to the sitemap won't help. Consider this simple snippet:

<map:pipeline>
   <map:match pattern="protected.*">
     <map:call continuation="{1}"/>
   </map:match>

   <map:match pattern="public.*">
     <map:call continuation="{1}"/>
   </map:match>
</map:pipeline>


> That would also be an option. On the other hand
> this would make a session mandatory for continuations.
> 
> ...which is not necessarily needed.

Exactly.

Real solution to this problem seems to me authentication check which is 
happening in FOM_JavaScriptInterpreter.handleContinuation. Check in *that* place 
won't be possible to "circumvent" - unless you hijack session, see above.

How about adding pre-function-call and pre-handle-continuation hooks?

Vadim
Mime
View raw message