I've been looking at a possible security risk in page flows. At the moment,
I don't think we have an actual security hole, but I think we have a
situation where we could create one very easy.
The issue is that there are a number of public properties on the
PageFlowController class. There are public getters that give access to low
level structures. For example, you can get the ModuleConfig from Struts,
the ActionForm, ActionServlet, the map of shared flows, etc. This issue
arises because you can submit a form that contains a hidden field that would
update these data items.
<netui:form action="submit">
<netui:hidden dataSource="pageFlow.moduleConfig.prefix"
dataInput="value"/>
<netui:button value="submit" />
</netui:form>
In the above code, this could modify the Struts ModuleConfig structure and
set the prefix value to "value".
In fact, in looking around at this for a little while, I couldn't find
anything you can do that is destructive. The Struts config information is
frozen, so the code above results in an IllegalStateException. Access to
the shared flow Map is luckily illegal when the expressions are being
updated.
I think that it's purely happenstance that we are not exposing a security
hole here. In fact, with a bit more playing round, we might find that we
really are exposing a hole. We need to prevent page flow updates for these
base class properties. There seems to be a number of ways we could solve
this,
1) We could prevent all update to PageFlow. This is a pretty radical
solution because it's a backward incompatible change.
2) We could create a list of properties that can't be updated. The list
could be created automatically through reflection.
Right now, I would lean toward 2, but I think we should have more discussion
of this issue.
Thoughts?
