cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leszek Gawron <lgaw...@mobilebox.pl>
Subject Re: Possible security problem with flowscript
Date Mon, 01 Nov 2004 08:48:55 GMT
Sylvain Wallez wrote:
> Leszek Gawron wrote:
> 
>> Vadim Gritsenko wrote:
>>
>>>> How can I retrieve that ID? I could implement a test version for 
>>>> Carsten.
>>>
>>>
>>>
>>> It is in AbstractInterpreter.getInterpreterID()
>>
>>
>> Some problems coming. Are there any reasons why doesn't 
>> Interpreter.getInterpreterID() exist? Also 
>> AbstractInterpreter.getInterpreterID() is protected. I have to make it 
>> public. The thing is: should I also move method declaration to interface?
> 
> 
> 
> This method was added for internal needs of the interpreter ID. If it 
> proves to be needed also to properly implement continuation management, 
> then +1 for adding it to the interface.
> 
>> Next: From what I've got from reading the code I cannot query for 
>> Interpreter in ContunuationsManager.
> 
> 
> 
> Yep, because a ContinuationManager manages several intepreters.
> 
>> The only place where interpreter is available is FOM_Cocoon which 
>> means I have to change ContinuationsManager.createWebContinuation 
>> signature to pass the interpreterID along with current parameters. 
>> This change affects all flow implementations. Am I right?
> 
> 
> 
> Isn't it all ContinuationsManager implementations that are changed?
> 
> Sylvain
> 
There is one ContinuationsManager implementation 
(ContinuationsManagerImpl). In case of javascript flow it is the 
FOM_Cocoon that creates continuations:

> public FOM_WebContinuation makeWebContinuation(Continuation k,
>                                                FOM_WebContinuation parent,
>                                                int timeToLive)
>     throws Exception {
>     if (k == null) {
>         return null;
>     }
>     WebContinuation wk;
>     ContinuationsManager contMgr;
>     contMgr = (ContinuationsManager)
>         getServiceManager().lookup(ContinuationsManager.ROLE);
>     wk = contMgr.createWebContinuation(unwrap(k),
>                                        (parent == null ? null : parent.getWebContinuation()),
>                                        timeToLive,
>                                        null);
>     FOM_WebContinuation result = new FOM_WebContinuation(wk);
>     result.setParentScope(getParentScope());
>     result.setPrototype(getClassPrototype(getParentScope(),
>                                           result.getClassName()));
>     return result;
> }

the change would be:
wk = contMgr.createWebContinuation(
               unwrap(k),
               (parent == null ? null : parent.getWebContinuation()),
               timeToLive,
               null,
               getInterpreter().getInterpreterID());

Is it OK to change ContinuationsManager interface then?

in case of JavaFlow it is the interpreter itself that creates 
continuations. See 
o.a.c.components.flow.java.JavaInterpreter.callFunction (little bit too 
long to paste).

	lg
-- 
Leszek Gawron                                      lgawron@mobilebox.pl
Project Manager                                    MobileBox sp. z o.o.
+48 (61) 855 06 67                              http://www.mobilebox.pl
mobile: +48 (501) 720 812                       fax: +48 (61) 853 29 65

Mime
View raw message