Torsten Curdt wrote:
Today we came across a possible security problem when you use flow
script. We tested the following example with 2.1.5.1 and the
current 2.1.x branch. Here is a simple example:
We have two areas in our web application, one is available for every
user and one area is only accessible for authenticated users.
We create two sub sitemaps - one for each area. Both are using
flow with different scripts. The second sitemap is protected
by using the authentication framework (how the authentication
is done is actually not important).
...but that *is* important: if you would be using a flow based
authentication mechanism this is not a problem at all.
So it seems that it would be good if we would have some further checks.
I think, it would be good if flow would check if the continuation id
belongs to the sitemap where the map:call is performed. Currently the
ids are global and not on a per sitemap level.
We could create a continuation manager per sitemap. ...but
I am not really sure whether this is a good idea to make
this the default.
Is there a possibility to attach some "attributes" to sitemap? I mean for
example continuations holder?
--
Leszek Gawron [EMAIL PROTECTED]
Project Manager MobileBox sp. z o.o.
+48 (61) 855 06 67 http://www.mobilebox.pl
mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
