Hi,
Sorry about reacting to this thread after one month of inactivity, but we
recently switched to a Cocoon version which includes this fix. I have tried
refactoring our application, but it was more work than I expected.
Having an option to turn this behaviour on or off would really make things
easier for me. Our application can run as it is and from the warnings in the
log I can determine what should be changed. Using these warnings I can
gradually make our application compliant with sitemap-bound continuations.
I propose to change the current code in ContinuationsManagerImpl to this code.
As you can see the warnings will always be added to the log as an incentive to
make changes to code which still uses shared continuations:
public WebContinuation lookupWebContinuation(String id, String
interpreterId) {
WebContinuation kont = (WebContinuation) idToWebCont.get(id);
if ( kont != null ) {
boolean interpreterMatches = kont.interpreterMatches(interpreterId);
if (!interpreterMatches && getLogger().isWarnEnabled()) {
getLogger().warn("WK: Continuation (" + kont.getId()
+ ") lookup for wrong interpreter. Bound to: "
+ kont.getInterpreterId() + ", looked up for:
"
+ interpreterId);
}
>>>> return interpreterMatches ||
>>>> allowBackwardCompatibleContinuationSharing ? kont : null;
}
return null;
}
'allowBackwardCompatibleContinuationSharing' will be a configuration option
which defaults to 'false'.
If nobody objects I will make the changes, create patches and add a new bug for
this.
Johan Stuyts
Hippo
> -----Original Message-----
> From: Carsten Ziegeler [mailto:[EMAIL PROTECTED]
> Posted At: donderdag 21 oktober 2004 9:49
> Posted To: Cocoon Dev List
> Conversation: Possible security problem with flowscript
> Subject: RE: Possible security problem with flowscript
>
>
>
> Leszek Gawron wrote:
> > >>Is there any sense to bind continuations to the sitemap? Vadim?
> > >>
> > >
> > > Yes, I really think so. IMHO it is simply wrong to continue
> > a script
> > > in a sitemap where it hasn't been declared - and as soon as
> > the flow
> > > script tries to address relative resources it won't work anyway.
> >
> > Just one more question: should this be an option to maintain
> > compatibility?
> >
> I don't think so, imho it's a bug - in most cases the script breaks
> as soon as a pipeline is invoked - or other relative resources are
> fetched.
>
> Carsten
>
>
