> I just tried around a bit and it looks like the
first-level object is
> a set of remote functions and the results of those
functions are
> indeed hashmaps. But still I would think you could
write an exploit if
> you managed to create the remote JS that creates the
functions JS and
> subsequently call it.
It is a good concern. We should probably put a warning in
this
component documentation, that proxy object are something
that a hacker
could use and that user (developer) should be careful in
which object
they register as proxy.
I would still guess that It could be difficult to hack,
since from
javascript, you would need to force the registration of a
foreigh
object. At that point I don't know how easy that could be.
It's not like it's using key-value-coding (which would be
a wide open
door), it's only opening method for specified registered
objects.
But if you make it easy on the java side ... well ... it's
all
available for hacker.
> Call me paranoid if you wish, I'd still think it's
safer to simply
> create an object on the page that only has those
methods it needs (add
> and addMore in this case).
That would be the safer way to use the proxy component ...
just
because no one whish to be the first one hacked.
- jfv
> Cheers, Anjo
>
> Am 25.04.2006 um 15:01 schrieb Anjo Krank:
>
>> You're right. Trying this yields:
>>
>> TypeError - Value undefined (result of expression
>> jason.wopage.application().terminate) is not
object.
>>
>> Cheers, Anjo
>>
>> Am 25.04.2006 um 14:33 schrieb Jean-François
Veillette:
>>
>>>
>>> Le 06-04-25, à 00:47, Anjo Krank a écrit :
>>>
>>>> You need to get a servlet.jar and add it to
your
>>>> /Library/WebObjects/Extensions.
>>>>
>>>> And you should be careful with that
component. I haven't yet tested
>>>> it, but it seems to me that if you bind up
your page as the proxy
>>>> object, you could call sth like
page.application().terminate()...
>>>
>>> I didn't try, but from reading the code, my
understanding is that
>>> you only get 1 level interface from the proxy
object. So if the
>>> page is your proxy, the rpc will make public
only the method
>>> availlable from that page object. So yes you
can call
>>> page.application(), but the rpc will receive an
application object
>>> which is a big 'undefined' in javascript.
You then won't be able to
>>> call 'terminate()' on it since this will be
evaluated in javascript
>>> (a no opp).
>>> There is a way to return another proxy object,
this is an 'advanced'
>>> feature of json-rpc (foreign reference or
something like that), but
>>> this is not yet investigated for wo
integration.
>>>
>>> - jfv
>>>
>>>> Cheers, Anjo
>>>>
>>>> Am 25.04.2006 um 05:25 schrieb David Holt:
>>>>
>>>>> Hi Mike,
>>>>>
>>>>> Thanks for all your hard work. The
sortable list is something that
>>>>> I have been in desperate need of for my
application, and to see it
>>>>> implemented is just too cool. The drag
and drop shows promise for
>>>>> inclusion soon too...
>>>>>
>>>>> The RPC link still doesn't work, at
least on my system. I am using
>>>>> build 67 and received the following
error for the first hyperlink
>>>>> (the rest work perfectly):
>>>>>
>>>>> Exception in thread
"WorkerThread9"
>>>>>
com.webobjects.foundation.NSForwardException for
>>>>> java.lang.NoClassDefFoundError:
>>>>> javax.servlet.http.HttpServletRequest
>>>>> at
>>>>>
com.metaparadigm.jsonrpc.JSONRPCBridge.class$(JSONRPCBridge.
java:
>>>>> 75)
>>>>> at
>>>>>
com.metaparadigm.jsonrpc.JSONRPCBridge.<clinit>(JSONRP
CBridge.java:
>>>>> 131)
>>>>> at
er.ajax.AjaxProxy.handleRequest(AjaxProxy.java:231)
>>>>> at
>>>>>
er.ajax.AjaxComponent.invokeAction(AjaxComponent.java:155)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOComponentReference.invok
eAction
>>>>> (WOComponentReference.java:104)
>>>>> at
>>>>>
com.webobjects.appserver._private.WODynamicGroup.invokeChild
renActi
>>>>> on(WODynamicGroup.java:101)
>>>>> at
>>>>>
com.webobjects.appserver._private.WODynamicGroup.invokeActio
n(WODyn
>>>>> amicGroup.java:110)
>>>>> at
>>>>>
com.webobjects.appserver.WOComponent.invokeAction(WOComponen
t.java:
>>>>> 945)
>>>>> at
>>>>>
com.webobjects.appserver.WOSession.invokeAction(WOSession.ja
va:
>>>>> 1168)
>>>>> at
>>>>>
com.webobjects.appserver.WOApplication.invokeAction(WOApplic
ation.j
>>>>> ava:1375)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOComponentRequestHandler.
_dispat
>>>>>
chWithPreparedPage(WOComponentRequestHandler.java:196)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOComponentRequestHandler.
_dispat
>>>>>
chWithPreparedSession(WOComponentRequestHandler.java:287)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOComponentRequestHandler.
_dispat
>>>>>
chWithPreparedApplication(WOComponentRequestHandler.java:322
)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOComponentRequestHandler.
_handle
>>>>>
Request(WOComponentRequestHandler.java:358)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOComponentRequestHandler.
handleR
>>>>>
equest(WOComponentRequestHandler.java:432)
>>>>> at
>>>>>
com.webobjects.appserver.WOApplication.dispatchRequest(WOApp
licatio
>>>>> n.java:1306)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOWorkerThread.runOnce(WOW
orkerTh
>>>>> read.java:173)
>>>>> at
>>>>>
com.webobjects.appserver._private.WOWorkerThread.run(WOWorke
rThread
>>>>> .java:254)
>>>>> at
java.lang.Thread.run(Thread.java:613)
>>>>>
>>>>>
>>>>>
>>>>> On 24-Apr-06, at 7:45 PM, Mike Schrag
wrote:
>>>>>
>>>>>> OK, the build script is fixed up
... Wonder build 67 includes
>>>>>> AjaxExample.woa in the
Wonder-2.0.0.67-Examples.tar.gz (rather
>>>>>> than the Applications tar). You
need Ajax.framework and
>>>>>> ERJars.framework in your
/Library/Frameworks folder to run it,
>>>>>> and those are in the Frameworks
tar. Third time's a charm 
>>>>>>
>>>>>> ms
>>>>>>
>>>>>> On Apr 24, 2006, at 10:23 PM, Mike
Schrag wrote:
>>>>>>
>>>>>>> I only run it in Eclipse, so I
didn't notice that it didn't have
>>>>>>> the real framework dependencies
setup, only the eclipse project
>>>>>>> dependencies (which also
explains why i couldn't get the build
>>>>>>> script working properly most
likely). I replaced that
>>>>>>> AjaxExamples tar with the
PROPER one (really only differs in
>>>>>>> that the classpath files are
updated). Your process was
>>>>>>> correct.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
around
http://mail.yahoo.com
_______________________________________________
Do not post admin requests to the list. They will be
ignored.
Webobjects-dev mailing list (Webobjects-dev lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/web
objects-dev/bond%40yahoo.com
This email sent to bondyahoo.com
|