summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--services/json_auth.esp8
-rw-r--r--services/request.esp15
-rw-r--r--webapps/swat/source/class/swat/module/AbstractModuleFsm.js88
-rw-r--r--webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js8
-rw-r--r--webapps/swat/source/class/swat/module/ldbbrowse/Gui.js34
-rw-r--r--webapps/swat/source/class/swat/module/statistics/Fsm.js8
6 files changed, 87 insertions, 74 deletions
diff --git a/services/json_auth.esp b/services/json_auth.esp
index 2d58b6e2af..0fdd98037d 100644
--- a/services/json_auth.esp
+++ b/services/json_auth.esp
@@ -1,7 +1,13 @@
<%
/* Return true to allow access; false otherwise */
-function json_authenticate(serviceComponents, method)
+function json_authenticate(serviceComponents, method, scriptTransportId)
{
+ // Don't allow any access via ScriptTransport, for now.
+ if (scriptTransportId != jsonrpc.Constant.ScriptTransport.NotInUse)
+ {
+ return false;
+ }
+
return true;
}
diff --git a/services/request.esp b/services/request.esp
index 1b33b61964..6f7e61e6e4 100644
--- a/services/request.esp
+++ b/services/request.esp
@@ -292,6 +292,8 @@ if (request["REQUEST_METHOD"] == "POST" &&
}
else if (request["REQUEST_METHOD"] == "GET" &&
form["_ScriptTransport_id"] != undefined &&
+ form["_ScriptTransport_id"] !=
+ jsonrpc.Constant.ScriptTransport.NotInUse &&
form["_ScriptTransport_data"] != undefined)
{
/* We have what looks like a valid ScriptTransport request */
@@ -455,8 +457,17 @@ if (! valid)
return;
}
-/* Ensure the logged-in user is allowed to issue the requested method */
-if (! json_authenticate(serviceComponents, jsonInput.method))
+/*
+ * Ensure the logged-in user is allowed to issue the requested method. We
+ * provide the scriptTransportId as one of the determining factors because
+ * accepting requests via ScriptTransport is dangerous. Only methods which
+ * one might allow when unauthenticated should be allowed via ScriptTransport
+ * as it is easy for a rogue site to trick a user into bypassing
+ * authentication.
+ */
+if (! json_authenticate(serviceComponents,
+ jsonInput.method,
+ scriptTransportId))
{
error.setError(jsonrpc.Constant.ErrorCode.PermissionDenied,
"Permission denied");
diff --git a/webapps/swat/source/class/swat/module/AbstractModuleFsm.js b/webapps/swat/source/class/swat/module/AbstractModuleFsm.js
index cffeb8b00a..a2564e708a 100644
--- a/webapps/swat/source/class/swat/module/AbstractModuleFsm.js
+++ b/webapps/swat/source/class/swat/module/AbstractModuleFsm.js
@@ -151,10 +151,10 @@ qx.Proto.addAwaitRpcResultState = function(module)
function(fsm, event)
{
// Get the request object
- var request = _this.getCurrentRpcRequest();
+ var rpcRequest = _this.getCurrentRpcRequest();
// Issue an abort for the pending request
- request.abort();
+ rpcRequest.request.abort();
}
});
state.addTransition(trans);
@@ -174,14 +174,14 @@ qx.Proto.addAwaitRpcResultState = function(module)
function(fsm, event)
{
// Get the request object
- var request = _this.getCurrentRpcRequest();
+ var rpcRequest = _this.getCurrentRpcRequest();
// Generate the result for a completed request
- request.setUserData("result",
- {
- type : "complete",
- data : event.getData()
- });
+ rpcRequest.setUserData("result",
+ {
+ type : "complete",
+ data : event.getData()
+ });
}
});
state.addTransition(trans);
@@ -201,14 +201,14 @@ qx.Proto.addAwaitRpcResultState = function(module)
function(fsm, event)
{
// Get the request object
- var request = _this.getCurrentRpcRequest();
+ var rpcRequest = _this.getCurrentRpcRequest();
// Generate the result for a completed request
- request.setUserData("result",
- {
- type : "failed",
- data : event.getData()
- });
+ rpcRequest.setUserData("result",
+ {
+ type : "failed",
+ data : event.getData()
+ });
}
});
state.addTransition(trans);
@@ -221,68 +221,64 @@ qx.Proto.addAwaitRpcResultState = function(module)
* @param fsm {qx.util.fsm.FiniteStateMachine}
* The finite state machine issuing this remote procedure call.
*
- * @param service {String}
+ * @param service {string}
* The name of the remote service which provides the specified method.
*
- * @param method {String}
+ * @param method {string}
* The name of the method within the specified service.
*
* @param params {Array}
* The parameters to be passed to the specified method.
*
- * @return {qx.io.remote.Request}
+ * @return {Object}
* The request object for the just-issued RPC request.
*/
qx.Proto.callRpc = function(fsm, service, method, params)
{
// Create an object to hold a copy of the parameters. (We need a
// qx.core.Object() to be able to store this in the finite state machine.)
- var o = new qx.core.Object();
+ var rpcRequest = new qx.core.Object();
- // copy the parameters; we'll prefix our copy with additional params
- o.allParams = params.slice(0);
+ // Save the service name
+ rpcRequest.service = service;
- // prepend the method
- o.allParams.unshift(method);
+ // Copy the parameters; we'll prefix our copy with additional params
+ rpcRequest.params = params.slice(0);
- // prepend the flag indicating to coalesce failure events
- o.allParams.unshift(true);
+ // Prepend the method
+ rpcRequest.params.unshift(method);
- // prepend the service name
- o.allParams.unshift(service);
+ // Prepend the flag indicating to coalesce failure events
+ rpcRequest.params.unshift(true);
- // Save the complete parameter list in case authentication fails and we need
- // to reissue the request.
- fsm.addObject("swat.module.rpc_params", o);
-
// Retrieve the RPC object */
var rpc = fsm.getObject("swat.module.rpc");
// Set the service name
- rpc.setServiceName(o.allParams[0]);
+ rpc.setServiceName(rpcRequest.service);
// Issue the request, skipping the already-specified service name
- var request =
+ rpcRequest.request =
qx.io.remote.Rpc.prototype.callAsyncListeners.apply(rpc,
- o.allParams.slice(1));
+ rpcRequest.params);
- // Make the request object available to the AwaitRpcResult state
- this.pushRpcRequest(request);
+ // Make the rpc request object available to the AwaitRpcResult state
+ this.pushRpcRequest(rpcRequest);
// Give 'em what they came for
- return request;
+ return rpcRequest;
};
/**
* Push an RPC request onto the request stack.
*
- * @param request {qx.io.remote.Request}
- * The just-issued request
+ * @param request {Object}
+ * The just-issued rpc request object
*/
-qx.Proto.pushRpcRequest = function(request)
+qx.Proto.pushRpcRequest = function(rpcRequest)
{
- this._requests.push(request);
+ this._requests.push(rpcRequest);
};
@@ -290,8 +286,8 @@ qx.Proto.pushRpcRequest = function(request)
* Retrieve the most recent RPC request from the request stack and pop the
* stack.
*
- * @return {qx.io.remote.Request}
- * The request from the top of the request stack
+ * @return {Object}
+ * The rpc request object from the top of the request stack
*/
qx.Proto.popRpcRequest = function()
{
@@ -300,16 +296,16 @@ qx.Proto.popRpcRequest = function()
throw new Error("Attempt to pop an RPC request when list is empty.");
}
- var request = this._requests.pop();
- return request;
+ var rpcRequest = this._requests.pop();
+ return rpcRequest;
};
/**
* Retrieve the most recent RPC request.
*
- * @return {qx.io.remote.Request}
- * The request at the top of the request stack
+ * @return {Object}
+ * The rpc request object at the top of the request stack
*/
qx.Proto.getCurrentRpcRequest = function()
{
diff --git a/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js b/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js
index 8052d9a579..6b5ae695bf 100644
--- a/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js
+++ b/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js
@@ -43,15 +43,15 @@ qx.Proto.buildFsm = function(module)
if (fsm.getPreviousState() == "State_AwaitRpcResult")
{
// Yup. Display the result. We need to get the request object
- var request = _this.popRpcRequest();
+ var rpcRequest = _this.popRpcRequest();
// Display the result
var gui = swat.module.ldbbrowse.Gui.getInstance();
- gui.displayData(module, request);
+ gui.displayData(module, rpcRequest);
// Dispose of the request
- request.dispose();
- request = null;
+ rpcRequest.request.dispose();
+ rpcRequest.request = null;
}
},
diff --git a/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js b/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js
index 9e86be25e9..52db8fdd88 100644
--- a/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js
+++ b/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js
@@ -114,12 +114,12 @@ qx.Proto.buildGui = function(module)
* The result returned by SAMBA to our request. We display the data
* provided by this result.
*/
-qx.Proto.displayData = function(module, request)
+qx.Proto.displayData = function(module, rpcRequest)
{
var gui = module.gui;
var fsm = module.fsm;
- var result = request.getUserData("result")
- var requestType = request.getUserData("requestType");
+ var result = rpcRequest.getUserData("result")
+ var requestType = rpcRequest.getUserData("requestType");
// Did the request fail?
if (result.type == "failed")
@@ -133,19 +133,19 @@ qx.Proto.displayData = function(module, request)
switch(requestType)
{
case "find":
- this._displayFindResults(module, request);
+ this._displayFindResults(module, rpcRequest);
break;
case "tree_open":
- this._displayTreeOpenResults(module, request);
+ this._displayTreeOpenResults(module, rpcRequest);
break;
case "tree_selection_changed":
- this._displayTreeSelectionChangedResults(module, request);
+ this._displayTreeSelectionChangedResults(module, rpcRequest);
break;
case "database_name_changed":
- this._clearAllFields(module, request);
+ this._clearAllFields(module, rpcRequest);
break;
default:
@@ -409,7 +409,7 @@ qx.Proto._buildPageBrowse = function(module, page)
};
-qx.Proto._displayFindResults = function(module, request)
+qx.Proto._displayFindResults = function(module, rpcRequest)
{
var rowData = [];
var fsm = module.fsm;
@@ -418,7 +418,7 @@ qx.Proto._displayFindResults = function(module, request)
var maxLen = 0;
// Obtain the result object
- result = request.getUserData("result").data;
+ result = rpcRequest.getUserData("result").data;
if (result && result["length"])
{
@@ -497,18 +497,18 @@ qx.Proto._displayFindResults = function(module, request)
};
-qx.Proto._displayTreeOpenResults = function(module, request)
+qx.Proto._displayTreeOpenResults = function(module, rpcRequest)
{
var t;
var trs;
var child;
// Obtain the result object
- var result = request.getUserData("result").data;
+ var result = rpcRequest.getUserData("result").data;
// We also need some of the original parameters passed to the request
- var parent = request.getUserData("parent");
- var attributes = request.getUserData("attributes");
+ var parent = rpcRequest.getUserData("parent");
+ var attributes = rpcRequest.getUserData("attributes");
// Any children?
if (! result || result["length"] == 0)
@@ -548,12 +548,12 @@ qx.Proto._displayTreeOpenResults = function(module, request)
};
-qx.Proto._displayTreeSelectionChangedResults = function(module, request)
+qx.Proto._displayTreeSelectionChangedResults = function(module, rpcRequest)
{
var fsm = module.fsm;
// Obtain the result object
- var result = request.getUserData("result").data;
+ var result = rpcRequest.getUserData("result").data;
// If we received an empty list, ...
if (result == null)
@@ -612,10 +612,10 @@ qx.Proto._displayTreeSelectionChangedResults = function(module, request)
};
-qx.Proto._clearAllFields = function(module, request)
+qx.Proto._clearAllFields = function(module, rpcRequest)
{
// Obtain the result object
- var result = request.getUserData("result").data;
+ var result = rpcRequest.getUserData("result").data;
// Retrieve the database handle
module.dbHandle = result;
diff --git a/webapps/swat/source/class/swat/module/statistics/Fsm.js b/webapps/swat/source/class/swat/module/statistics/Fsm.js
index 1aeab8a4a3..5e4843691c 100644
--- a/webapps/swat/source/class/swat/module/statistics/Fsm.js
+++ b/webapps/swat/source/class/swat/module/statistics/Fsm.js
@@ -67,15 +67,15 @@ qx.Proto.buildFsm = function(module)
if (fsm.getPreviousState() == "State_AwaitRpcResult")
{
// Yup. Display the result. We need to get the request object
- var request = _this.popRpcRequest();
+ var rpcRequest = _this.popRpcRequest();
// Display the result
var gui = swat.module.statistics.Gui.getInstance();
- gui.displayData(module, request.getUserData("result"));
+ gui.displayData(module, rpcRequest.getUserData("result"));
// Dispose of the request
- request.dispose();
- request = null;
+ rpcRequest.request.dispose();
+ rpcRequest.request = null;
// Restart the timer.
swat.module.statistics.Fsm._startTimer(fsm);