From: "Marc Portier" <[EMAIL PROTECTED]>
Konstantin Piroumian wrote:...
From: "Marc Portier" <[EMAIL PROTECTED]>
Hi all,
There is also an option to use:nice to know!
context.createPathAndSetValue("address/zipCode", "90190");
to avoid NPEs or setting the lenient mode. This way you can be sure that the specified path will be created and the value is set to it. Though, I'm not sure if it's a good idea from security POV.why would you think it harms security?
Don't know how Woodie works, but if you use automatic binding then it's possible that the user could send parameters like this:
/user/permissions=MyNewPermission
or something like that and modify things that he should not be able to touch normally. Not sure if this is a good example, but anyway I don't like the idea of allowing the user to create and set any desired values.
This is a security hole that exists in XMLForm/JXForm but not in Woody :
- XMLForm/JXForm iterates on request parameters and tries to use them as XPath expressions thus allowing any modification of the business model
- Woody traverses the form definition and each form widget gets its corresponding request parameter. It's therefore not possible to modify the business model in a way that is not allowed by the form by injecting additional request parameters.
Sylvain
-- Sylvain Wallez Anyware Technologies http://www.apache.org/~sylvain http://www.anyware-tech.com { XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects } Orixo, the opensource XML business alliance - http://www.orixo.com
