Re: WebObjects and HTML injection
Re: WebObjects and HTML injection
- Subject: Re: WebObjects and HTML injection
- From: Anjo Krank <email@hidden>
- Date: Thu, 22 Jul 2010 19:21:11 +0200
I don't follow: *is* this an actual problem with the default coding style? IMO, you wouldn't ever say "oh noez! your session $ID" is no longer valid! but I'll use it anyway."
What *should* happen is that WO gives you a new page when the instance doesn't find the existing session (SessionExpired default or whatever). that page should have only the ID of a new session in it, certainly no mention of the old one.
If that happens right now, then you don't have a problem. if it doesn't then you'd need to fix *that* as this is bogus behavior.
Cheers, Anjo
Am 22.07.2010 um 18:40 schrieb Patrick Middleton:
>
> On 22 Jul 2010, at 12:49, Anjo Krank wrote:
>
>> Why would you "preserve" the session id when it's no longer valid?
>>
>> Cheers, Anjo
>>
>>
>>
>> Am 22.07.2010 um 13:28 schrieb Patrick Middleton:
>>
>>> in order to sanitize inputs -- mostly by removing anything containing the likes of '<script'. What do you think?
>
>
> Preserve the session id when it's no longer valid? Anjo, are you saying my application should have sanitised its inputs?
>
> When I wrote the app I considered how a session ID might not be valid, and what the app would do:
> timed out: give a 'timed out' response page
> ought to exist, but the instance has crashed and restarted: give a 'timed out' response page
> redirected to the wrong instance by the load balancer: give a 'timed out' response page
> and so on.
>
> I didn't explicitly preserve the session ID. What I did not consider was someone cooking up an interesting bogus sessionID and then finding a page accessible by a direct action that had some component action URLs on it, so that in the event of the session ID not being valid, I would need to takes steps to ensure it did not appear in the response.
>
> Moreover, while the sessionID is an excellent place to start for anybody probing for security vulnerabilities in a WO app, it's not the only place -- I think every form value, cookie and CGI argument needs to be sanitised.
>
>
> ---
> Regards Patrick
> OneStep Solutions Plc
> www.onestep.co.uk
>
>
>
> This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it.
>
> If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system.
>
> Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version.
>
> OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH.
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden