cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Wed, 20 Oct 2004 17:15:40 GMT
Carsten Ziegeler wrote:

>  
> 
> 
>>-----Original Message-----
>>From: Vadim Gritsenko [mailto:vadim@reverycodes.com] 
>>Sent: Wednesday, October 20, 2004 3:23 PM
>>To: dev@cocoon.apache.org
>>Subject: Re: Possible security problem with flowscript
>>
>>Carsten Ziegeler wrote:
>>
>>>So what are we going to do about this?
>>
>>Discussion of this mostly moved to bugzilla #31676.
>>
> 
> Which is not a good place to discuss :)
So I will repeat my proposal here. My idea is to implement (nearly done) 
a continuations manager that has 3 levels of security:
- standard (current functionality)
- continuations invalidated along with session, still the continuation 
is reachable from other sessions (or no session at all)
- fully isolated. only the session that created the continuation can 
access it.

For my web applications I would surely go for for full isolation so I 
would like to have this option in cocoon core (so I do not have to patch 
every of my projects).

Is there any sense to bind continuations to the sitemap? Vadim?

I am very eager to provide a new production quality continuations 
manager as soon as the final solution gets agreed upon.


-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message