cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Collen <>
Subject Re: cocoon-view as possible security problem?
Date Fri, 21 Mar 2003 17:50:53 GMT
On Fri, 21 Mar 2003, Geoff Howard wrote:


> >>So, at the end, I would do:
> >>
> >>1) turn off views from the default sitemap. NOTE: this will turn off the
> >>ability to make static snapshots of your webapp from the cocoon CLI!

Well, this is obviously not good for us... so...

> >>2) write a pretty detailed comment in the default sitemap telling what
> >>views are, how they work briefly and what potential security issues do
> >>they make.

This is probably the best idea.  I would *really* hope someone who is
deploying Cocoon in a production environment would at least be able to
read the sitemap in this spot :^)

> >>3) keep the view parameter name hardcoded as it is.
> >>
> >>Thoughts? anybody against this?

In retrospect, my idea for being able to change the parameters was not a
good idea... and it would add unneeded complexity to everything.  #2 is
the best (and easiest) IMO.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message