cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Gritsenko <va...@reverycodes.com>
Subject Re: Possible security problem with flowscript
Date Wed, 20 Oct 2004 19:47:53 GMT
Leszek Gawron wrote:
> Carsten Ziegeler wrote:
> 
>>  
>>
>>
>>> -----Original Message-----
>>> From: Vadim Gritsenko [mailto:vadim@reverycodes.com] Sent: Wednesday, 
>>> October 20, 2004 3:23 PM
>>> To: dev@cocoon.apache.org
>>> Subject: Re: Possible security problem with flowscript
>>>
>>> Carsten Ziegeler wrote:
>>>
>>>> So what are we going to do about this?
>>>
>>>
>>> Discussion of this mostly moved to bugzilla #31676.
>>>
>>
>> Which is not a good place to discuss :)
> 
> So I will repeat my proposal here. My idea is to implement (nearly done) 
> a continuations manager that has 3 levels of security:
> - standard (current functionality)
> - continuations invalidated along with session, still the continuation 
> is reachable from other sessions (or no session at all)
> - fully isolated. only the session that created the continuation can 
> access it.
> 
> For my web applications I would surely go for for full isolation so I 
> would like to have this option in cocoon core (so I do not have to patch 
> every of my projects).
> 
> Is there any sense to bind continuations to the sitemap? Vadim?

I don't have objections against it. It probably makes sense to always bind 
continuations at least to the sitemap instance. Binding to session should be 
optional.

Vadim

Mime
View raw message