Dev's, During document publishing, Lenya 1.2.4 (and maybe 1.4?) accepts some values from the request at face value rather than looking them up in session data. For example, a URL like this (which I'll wrap here for readability) is what the browser sends when one submits the confirmation form on the publish page in the CMS (to publish a document):
http://localhost:8888/default/info-authoring/tutorial.html ?lenya.usecase=publish &lenya.step=publish &task-id=publish &document-id=/tutorial &document-language=en &user-id=MickeyMouse &user-name=Mickey%20Mouse &user-email=levi.vanya%40wyona.org &ip-address=168.0.0.1 &role-ids=admin%2Creview%2Cedit &workflow-event=publish &properties.publish.sources=tutorial/index_en.xml &properties.files2index= &sources=tutorial/index_en.xml &properties.export.uris=/default/live/tutorial.html &uris=/default/live/tutorail.html It turns out that a user may submit *any* string in the "user-name" spot, with the result being recorded in the tutorial/index_en.xml.rcml file and subsequently displayed in the Workflow tab for that document. I suspect other values can also be forged. Although only a logged-in user can successfully forge information in this way, this appears to be a weakness in how the application is structured. Most of this information can be looked up on the server rather than trusting the browser to provide valid values, right? It seems to me that this publish request shouldn't be sending the user-id, user-name, user-email, ip-address, role-ids, properties.publish.sources, sources, properties.export.uris and uris values at all, should it? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
