On Mon, 2003-09-01 at 18:12, Sylvain Wallez wrote:
> Konstantin Piroumian wrote:
>
> >From: "Marc Portier" <[EMAIL PROTECTED]>
> >
> >
> >>Konstantin Piroumian wrote:
> >>
> >>
> >>>From: "Marc Portier" <[EMAIL PROTECTED]>
> >>>
> >>>
> >>>>Hi all,
> >>>>
> >>>>
> >...
> >
> >
> >>>There is also an option to use:
> >>>
> >>>context.createPathAndSetValue("address/zipCode", "90190");
> >>>
> >>>
> >>nice to know!
> >>
> >>
> >>>to avoid NPEs or setting the lenient mode. This way you can be sure that the
> >>>specified path will be created and the value is set to it. Though, I'm not sure
> >>>if it's a good idea from security POV.
> >>>
> >>>
> >>why would you think it harms security?
> >>
> >>
> >
> >Don't know how Woodie works, but if you use automatic binding then it's
> >possible that the user could send parameters like this:
> >
> >/user/permissions=MyNewPermission
or even better, since from JXPath you can call static methods:
"System.exit(0)" :-)
> >
> >or something like that and modify things that he should not be able to touch
> >normally. Not sure if this is a good example, but anyway I don't like the
> >idea of allowing the user to create and set any desired values.
> >
>
> This is a security hole that exists in XMLForm/JXForm but not in Woody :
> - XMLForm/JXForm iterates on request parameters and tries to use them as
> XPath expressions thus allowing any modification of the business model
> - Woody traverses the form definition and each form widget gets its
> corresponding request parameter. It's therefore not possible to modify
> the business model in a way that is not allowed by the form by injecting
> additional request parameters.
>
> Sylvain
--
Bruno Dumon http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
[EMAIL PROTECTED] [EMAIL PROTECTED]
