Hey Mobi, 2010/2/8 mobi phil <[email protected]>: >> The check is done at the server side. So even if the user creates new >> buttons or does whatever, the security measures are taken server-side >> and only those buttons instantiated by the server (or more >> specifically, signals that get exposed), can trigger Wt code. > > I see. You do not have access to the slot. Nice... did not think about that... > However... let's say that you have two users. (At the moment I know, only > admin can add posts, but let's presume you would add more users). > > First user retrieves for editing his own post. Then when saving he could > impersonate the other user by sending to save a post of the first user > (changing the ID of the object). > > Or is it the ID not part of the http message when you save a post. If > not how are > the objects identified? Is there a hash value generated that would > make impossible to send > random ID's etc? > > Koen, maybe it is nonsense what I am discussing, but would not mind to > get references to > how this is implemented... Of course I could spend some hours looking > at the code... etc.
There is one 'secret' which is assumed to be kept secret for each user, and this is his session ID (this is not uncommon, and indeed, both Wt and most servlet engines (Java) use highly secure random generators for generating this Id). A user cannot send to save a post as the first user unless he has access to his session ID. Ideally, you would use https to protect clear text transmission of the session ID. >> Nevertheless, we take security seriously, > I am convinced. However I am sure that challenging it time to time > gives more confidence > both to the community and you. For sure :-) >> convinced that there is a security problem and think of a way of >> triggering it, you can easily convince us by demonstrating it ? > I would be more than happy to do that, but due to lack of time do not > know when... I even had to skip the beer event. > By the way.. did you meet guys? I was a bit overwhelmed by the amount of people at the beer event. It was totally impossible to meet with total strangers like that and only by complete coincidence we managed to meet up with Pau while ordering beers ! > I think it is also not bad to clarify this as a pattern, as probably > one would tend to add extra athorisation code in > methods like the savePost. I absolutely agree it is worth clarifying, since it is quite an uncommon security setup for a web framework. Regards, koen ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
