From 102e4840b3bc11cc84a0ecb784190e7501277ac4 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Fri, 5 Jan 2007 19:29:45 +0000 Subject: r20559: Web Application Framework - Disallow, for now, any ScriptTransport access. A serious security issue has been described, and since we don't currently need it for anything, disable it completely. - Continued clean-up towards implementing the common authentication code (This used to be commit 07817a5489dd8cc6c85c10116f4dba43d798ef03) --- services/request.esp | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'services/request.esp') diff --git a/services/request.esp b/services/request.esp index 1b33b61964..6f7e61e6e4 100644 --- a/services/request.esp +++ b/services/request.esp @@ -292,6 +292,8 @@ if (request["REQUEST_METHOD"] == "POST" && } else if (request["REQUEST_METHOD"] == "GET" && form["_ScriptTransport_id"] != undefined && + form["_ScriptTransport_id"] != + jsonrpc.Constant.ScriptTransport.NotInUse && form["_ScriptTransport_data"] != undefined) { /* We have what looks like a valid ScriptTransport request */ @@ -455,8 +457,17 @@ if (! valid) return; } -/* Ensure the logged-in user is allowed to issue the requested method */ -if (! json_authenticate(serviceComponents, jsonInput.method)) +/* + * Ensure the logged-in user is allowed to issue the requested method. We + * provide the scriptTransportId as one of the determining factors because + * accepting requests via ScriptTransport is dangerous. Only methods which + * one might allow when unauthenticated should be allowed via ScriptTransport + * as it is easy for a rogue site to trick a user into bypassing + * authentication. + */ +if (! json_authenticate(serviceComponents, + jsonInput.method, + scriptTransportId)) { error.setError(jsonrpc.Constant.ErrorCode.PermissionDenied, "Permission denied"); -- cgit