Hey All,
I want to add a security feature to Turbine:
<http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan>
It is funny, I wrote an application server about 4-5 years ago that
addressed this very same issue. It is nice to see it coming up again. :-)
Essentially, I was really strict in that I made it so that the homepage
allowed any referrer, but any page in the site didn't. If you tried to go to
a page in the site with an invalid referrer, I would redirect you to the
homepage.
The *simple* implementation fix for the problem they describe above would be
to check the referrer in the Turbine.doPost() method and throw an exception
if they don't match. This has the potential to break in a few cases though
and isn't 100% secure (nothing is).
The only problem with this is that we loose compatibility with browsers that
don't send this information. In reality all the 3.0 and greater browsers do
send this information, so it shouldn't be a major issue. I can add this
feature as a TurbineResources.properties boolean condition as well.
What do you think?
-jon
--
Java Servlet Based - Open Source | Collab.Net
Bug/Issue Tracking System | now hiring smart people
<http://scarab.tigris.org/> | <http://Collab.Net/jobs/>
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
