cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niklas Eklund <nik...@curalia.se>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 16:03:01 GMT
Rob Berens wrote:
> Carsten Ziegeler wrote:
>>Hmm, I might be wrong, but does this really protect you?
>>If you have a flow that is usable by not authenticated users,
>>you run into the same problem I think.
>>
> 
> I see, you are right. A unauthorized user can get access to the continuation
> by adding the continuation parameter to another request he is authorized
> for.

I have solved a similar problem in an application by using a wrapped 
sendPage() like:

function w_sendPage(x, y, z) {
   var currentUser = getCurrUser(); // userPrincipal/remoteUser/whatever
   sendPage(x, y, z);
   if (currentUser != getCurrUser()) {
      throw "Bad boy!";
   }
}

Although not perfect, in that application, where authorization is 
mandatory, it stops users from giving/emailing each other links to stuff 
which as you can imagine can cause some problems. This is the poor man's 
version of Vadim's proposed pre-function-call and 
pre-handle-continuation hooks.
This won't stop unauthorized users from "stealing" other unauthorized 
continuations though... but it will stop unauthorized users from using 
authorized continuations.

  Regards,

    Niklas


Mime
View raw message