Kent Tong wrote: > Howard Lewis Ship <hlship <at> gmail.com> writes: >>(*), then MIME encoded. Only a very dedicated hacker would be able to >>spoof that information in the URLs ... but because of HiveMind you >>could create your own implementation that added some form of encoding. > > > I think this will be a necessity for this feature to be used > in a public production app. It isn't that difficult to encode
> persistence feature is made available, please at least document > the security risk involved so that the app developer can make his > own informed decision. Certainly nobody wants to run into the same security issues we had with the AssetService lately (before adding the hash). It was no fun to read my web.xml etc. using a browser... For sure, crafting an object stream takes a while and if it's documented and that easy using Hivemind, fine. But probably it's worth to have this as default (especially if it's that simple to implement as you mentioned, Howard) in the framework right from the start, instead of having the follow-up problems (if only dozends of emails on this list ;-) ) later. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
