cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre.Da...@cec.eu.int
Subject RE: [Cocoon Users] Re: Xalan and Cocoon gives different result fo r some XSL
Date Tue, 26 Sep 2000 10:06:36 GMT
It was a tease... :)

On the other hand, we must be sure not to have sensible information in our
pages, such as login/passwords, IP adresses and ports of databases, ...
We must always ask the question: what would be possible to do with my page
if I was a "malicious" user (having access to the source or not): changing
parameters, sending wrong information via Post, etc...  

I've seen very nice applications accepting weird parameters, crashing (or
deleting records) when passing some IDs, etc...  Session and transaction IDs


Protecting the source is rarely a full solution (but I do agree that an
application in production should not unveil it sources to others than the
administrators of it)

Pierre A.

-----Original Message-----
From: Stephen Zisk [mailto:szisk@mediabridge.net]
Sent: vendredi 22 septembre 2000 21:53
To: cocoon-users@xml.apache.org
Subject: RE: [Cocoon Users] Re: Xalan and Cocoon gives different result
fo r some XSL



>Isn't that what Open Source means ?
>
>Pierre A.

I'm not sure whether to take this as a tease or not. Ah, well! My friends 
say I'm too serious anyway.

The fact that Cocoon itself is open source does not mean you want to 
display the source XML file to all end users who request it. Cocoon should 
be able to manage things on sites where security and privacy have value.

Specifically, if you are trying to implement any kind of user or role 
separation, managing private user data, etc, by storing info in an XML file 
being served by Cocoon, or if you implement security using xsp code, you 
may want the transformed file to be served to the end user but not the 
source XML.

Of course, masking the XML source cannot make up for lazy design or poorly 
implemented security, but exposing the source may be a potential unlocked 
door for knob twisters.

Regards,
----------
Stephen Zisk                      MediaBridge Technologies
email:  szisk@mediabridge.net     100 Nagog Park
tel:    978-795-7040              Acton, MA 01720    USA
fax:    978-795-7100              http://www.mediabridge.net


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
For additional commands, e-mail: cocoon-users-help@xml.apache.org

Mime
View raw message