Forum OpenACS Q&A: Response to Bugtraq: cross site scripting

Posted by russ m on
well, here's grant-2.tcl (slightly mangled by <textarea>) -

# packages/acs-core-ui/www/acs_object/permissions/grant-2.tcl

ad_page_contract {

  @creation-date 2000-08-20
  @cvs-id $Id: grant-2.tcl,v 1.2 2001/04/22 16:13:15 stevew Exp $
} {

ad_require_permission $object_id admin

db_exec_plsql grant {
    acs_permission.grant_permission(:object_id, :party_id, 

ad_returnredirect "one?[export_url_vars object_id]"

which doesn't seem to require anything more than a valid auth cookie. and having just tried it myself, i can tell you it works.

patching this particular page sequence doesn't however fix the broader problem - a global solution would be preferable to having to code such checks into every page that carries out potentially dangerous operations (and audit that it had been done and done right).

i'm not sure how i'd approach putting together such a global solution, but i'm pretty confident it deserves further thought...