Hello, TLDR: Prior to a few days ago, AjaxFlexibleFileUpload (and ERAttachmentFlexibleUpload which uses it) had a rather large security hole in it. If you use this component, you should update to the recently released Wonder 6.1.5 or to HEAD for Wonder 7, both of which contain the fix.
A few months ago, Ralf Schuchardt committed some improvements to AjaxProxy: https://github.com/wocommunity/wonder/pull/731 <https://github.com/wocommunity/wonder/pull/731> This passed me by until I noticed some unusual console logging from a page with an upload component on it. It was coming from this newly-added line in AjaxProxy: > log.warn("No proxy binding given, so using parent component. This is probably > a very bad idea."); As Ralf noted in a reply to me in the comments to that pull request: > AjaxProxy currently publishes every public method of the object on the client > side. For components this means for example WOComponent.valueForKeyPath and > WOComponent.takeValueForKeyPath are directly callable by the client. A > malicious user may call valueForKeyPath("application.terminate") or every > other path reachable by session or application. I call this a serious issue. Indeed, any app user with access to a page containing an AjaxFlexibleFileUpload could cause an instance shutdown by adding a single line to wonder.js using something like Chrome’s Developer Tools. https://github.com/wocommunity/wonder/issues/768 <https://github.com/wocommunity/wonder/issues/768> I fixed the issue by setting the proxy binding to an inner class with limited privileges. https://github.com/wocommunity/wonder/pull/769 <https://github.com/wocommunity/wonder/pull/769> If you’re using AjaxFlexibleFileUpload or ERAttachmentFlexibleUpload in production, you should update your Wonder frameworks as described above. -- Paul Hoadley http://logicsquad.net/
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
