cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Fri, 15 Oct 2004 16:21:31 GMT
Niklas Eklund wrote:
> Rob Berens wrote:
> 
>> Carsten Ziegeler wrote:
>>
>>> Hmm, I might be wrong, but does this really protect you?
>>> If you have a flow that is usable by not authenticated users,
>>> you run into the same problem I think.
>>>
>>
>> I see, you are right. A unauthorized user can get access to the 
>> continuation
>> by adding the continuation parameter to another request he is authorized
>> for.
> 
> 
> I have solved a similar problem in an application by using a wrapped 
> sendPage() like:
> 
> function w_sendPage(x, y, z) {
>   var currentUser = getCurrUser(); // userPrincipal/remoteUser/whatever
>   sendPage(x, y, z);
>   if (currentUser != getCurrUser()) {
>      throw "Bad boy!";
>   }
> }
It's nice but does not work for cforms.

-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message