Return-Path: Delivered-To: apmail-cocoon-dev-archive@www.apache.org Received: (qmail 24727 invoked from network); 20 Oct 2004 18:34:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 20 Oct 2004 18:34:10 -0000 Received: (qmail 47498 invoked by uid 500); 20 Oct 2004 18:34:07 -0000 Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org Received: (qmail 47398 invoked by uid 500); 20 Oct 2004 18:34:06 -0000 Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: dev@cocoon.apache.org Delivered-To: mailing list dev@cocoon.apache.org Received: (qmail 47383 invoked by uid 99); 20 Oct 2004 18:34:06 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [212.85.125.162] (HELO v07274.home.net.pl) (212.85.125.162) by apache.org (qpsmtpd/0.28) with SMTP; Wed, 20 Oct 2004 11:34:05 -0700 Received: from gprs6.idea.pl (HELO ?172.20.120.16?) (lgawron.mobilebox@home@217.116.100.252) by matrix15.home.net.pl with SMTP; 20 Oct 2004 18:33:57 -0000 Message-ID: <4176AF8F.7060100@mobilebox.pl> Date: Wed, 20 Oct 2004 20:33:51 +0200 From: Leszek Gawron User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@cocoon.apache.org Subject: Re: Possible security problem with flowscript References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Carsten Ziegeler wrote: > "Leszek Gawron" wrote: > >>Carsten Ziegeler wrote: >> >> >>>Which is not a good place to discuss :) >> >>So I will repeat my proposal here. My idea is to implement (nearly done) >>a continuations manager that has 3 levels of security: >>- standard (current functionality) >>- continuations invalidated along with session, still the continuation >>is reachable from other sessions (or no session at all) >>- fully isolated. only the session that created the continuation can >>access it. >> >>For my web applications I would surely go for for full isolation so I >>would like to have this option in cocoon core (so I do not have to patch >>every of my projects). >> >>Is there any sense to bind continuations to the sitemap? Vadim? >> > > Yes, I really think so. IMHO it is simply wrong to continue a script in a > sitemap where it hasn't been declared - and as soon as the flow script tries > to address relative resources it won't work anyway. Just one more question: should this be an option to maintain compatibility? -- Leszek Gawron lgawron@mobilebox.pl Project Manager MobileBox sp. z o.o. +48 (61) 855 06 67 http://www.mobilebox.pl mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65