cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johan Stuyts" <j.stu...@hippo.nl>
Subject RE: Possible security problem with flowscript
Date Thu, 02 Dec 2004 15:14:05 GMT
Hi,

Sorry about reacting to this thread after one month of inactivity, but we recently switched
to a Cocoon version which includes this fix. I have tried refactoring our application, but
it was more work than I expected.

Having an option to turn this behaviour on or off would really make things easier for me.
Our application can run as it is and from the warnings in the log I can determine what should
be changed. Using these warnings I can gradually make our application compliant with sitemap-bound
continuations.

I propose to change the current code in ContinuationsManagerImpl to this code. As you can
see the warnings will always be added to the log as an incentive to make changes to code which
still uses shared continuations:
    public WebContinuation lookupWebContinuation(String id, String interpreterId) {
        WebContinuation kont = (WebContinuation) idToWebCont.get(id);
        if ( kont != null ) {
            boolean interpreterMatches = kont.interpreterMatches(interpreterId);
            if (!interpreterMatches && getLogger().isWarnEnabled()) {
                getLogger().warn("WK: Continuation (" + kont.getId() 
                                 + ") lookup for wrong interpreter. Bound to: " 
                                 + kont.getInterpreterId() + ", looked up for: " 
                                 + interpreterId);
            }
>>>>        return interpreterMatches || allowBackwardCompatibleContinuationSharing
? kont : null;
        }
        return null;
    }

'allowBackwardCompatibleContinuationSharing' will be a configuration option which defaults
to 'false'.

If nobody objects I will make the changes, create patches and add a new bug for this.

Johan Stuyts
Hippo

> -----Original Message-----
> From: Carsten Ziegeler [mailto:cziegeler@apache.org]
> Posted At: donderdag 21 oktober 2004 9:49
> Posted To: Cocoon Dev List
> Conversation: Possible security problem with flowscript
> Subject: RE: Possible security problem with flowscript
> 
> 
>  
> Leszek Gawron wrote:
> > >>Is there any sense to bind continuations to the sitemap? Vadim?
> > >>
> > > 
> > > Yes, I really think so. IMHO it is simply wrong to continue 
> > a script 
> > > in a sitemap where it hasn't been declared - and as soon as 
> > the flow 
> > > script tries to address relative resources it won't work anyway.
> >
> > Just one more question: should this be an option to maintain 
> > compatibility?
> > 
> I don't think so, imho it's a bug - in most cases the script breaks
> as soon as a pipeline is invoked - or other relative resources are
> fetched.
> 
> Carsten
> 
> 

Mime
View raw message