cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylvain.wal...@anyware-tech.com>
Subject Re: cocoon-view as possible security problem? (fwd)
Date Fri, 21 Mar 2003 12:04:41 GMT
Tony Collen wrote:

>forwarding this to -users because i am having a little bit of lag and
>mistyped the address the first time :P
>  
>

Have a look at my answer on cocoon-dev :
http://marc.theaimsgroup.com/?l=xml-cocoon-dev&m=104823479001495&w=2

Sylvain

>---------- Forwarded message ----------
>Date: Thu, 20 Mar 2003 16:14:31 -0500 (EST)
>From: Tony Collen <tcollen@neuagency.com>
>Reply-To: cocoon-dev@xml.apache.org
>To: coocon-users@xml.apache.org
>Cc: cocoon-dev@xml.apache.org
>Subject: cocoon-view as possible security problem?
>
>Browsing the livesites, on a whim I tried this URL:
>
>http://dir.salon.com/?cocoon-view=content
>
>and it worked!  Obviously someone deploying Cocoon should be aware that
>this view is "on" by default, and may reveal data in your page you might
>not want.  I have yet to see "bad" data get exposed, but there's always
>the possibility.
>
>Do we want the views turned off by default, and have a message in the
>sitemap about enabling the views?  Would it make more sense to have
>thename of the "cocoon-view" parameter be able to be changed via
>configuration?  Say I wanted the parameter to be my-view instead of
>cocoon-view.  Security through obscurity?
>
>
>Tony
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
>For additional commands, e-mail: cocoon-users-help@xml.apache.org
>
>  
>


-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }



---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-users-unsubscribe@xml.apache.org
For additional commands, e-mail: cocoon-users-help@xml.apache.org


Mime
View raw message