spooky seaside
Locked
 
|
Hi,
yesterday I showed a colleague our webapp. He wondered about the "strange" URLs. The next thing he was starting to notice that the _k parameter has something linear in it. So he played around entering URLs as derivate from the URLs he got from a loaded page. After 4 attempts he got the WADispatcherEditor. I was shocked. The only reason for this I found is that I had this page open in my browser. Otherwise it wouldn't be possible to get a page by guessing the _k parameter, right? Nothing really strange so far. But the _k parameter he used was completely different to that I had on the Dispatcher Editor. So I like to know a few things: - how is the _s and _k parameter build? Is it possible to get the same page (stack pointer) with two different _k parameters? - What is the best way to remove WADispatcherEditor. When I remove it it still has references and stays as AnObsolete. - Where is this session protection thing and how do I enable it. thanks very much, Norbert _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
On 5/2/07, Norbert Hartl <[hidden email]> wrote:
> Hi, > > yesterday I showed a colleague our webapp. He wondered > about the "strange" URLs. The next thing he was starting > to notice that the _k parameter has something linear in > it. So he played around entering URLs as derivate from the > URLs he got from a loaded page. After 4 attempts he got > the WADispatcherEditor. I was shocked. Are you sure he actually hit upon a valid _k value? There are lots of ways that an invalid one would have brought you by default to a WADispatcherEditor. For example, if the session key were valid, and that was the last page you had seen. Or, if he modified the URL to include /config, where WADispatcherEditor is the root component. The _k values are WAExternalIDs, which are 64 bit random numbers, generated by the standard Random class. In Squeak that's apparently a Park-Miller generator. The chances of hitting upon a real _k value should be astronomically low. You would also need to guess the right corresponding _s, which means you're searching through a 128bit space. On Squeak I've certainly never spotted anything linear in the values, although maybe your friend has an eye for it which I don't. > > But the _k parameter he used was > completely different to that I had on the Dispatcher Editor. > > So I like to know a few things: > > - how is the _s and _k parameter build? Is it possible to > get the same page (stack pointer) with two different > _k parameters? Well, sort of. There's a _k for the callback actions, which then immediately gets redirected to a new _k for rendering the page. Either of those will basically get you to the same place. But more to the point, as I mentioned above, if the _k is totally wrong you'll get taken a default location, which could well have been the WADispatcherEditor. > - What is the best way to remove WADispatcherEditor. When > I remove it it still has references and stays as AnObsolete. You don't need to remove the class, just get rid of the config app. You should be able to do that from within /config itself. > - Where is this session protection thing and how do I enable > it. I don't know, anyone? Avi _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by NorbertHartl
2007/5/2, Norbert Hartl <[hidden email]>:
> Hi, > > yesterday I showed a colleague our webapp. He wondered > about the "strange" URLs. The next thing he was starting > to notice that the _k parameter has something linear in > it. So he played around entering URLs as derivate from the > URLs he got from a loaded page. After 4 attempts he got > the WADispatcherEditor. I was shocked. > > The only reason for this I found is that I had this page > open in my browser. Otherwise it wouldn't be possible to > get a page by guessing the _k parameter, right? Nothing > really strange so far. But the _k parameter he used was > completely different to that I had on the Dispatcher Editor. > > So I like to know a few things: > > - how is the _s and _k parameter build? Is it possible to > get the same page (stack pointer) with two different > _k parameters? > - What is the best way to remove WADispatcherEditor. When > I remove it it still has references and stays as AnObsolete. > - Where is this session protection thing and how do I enable > it. Do you mean WASessionProtector? > thanks very much, > > Norbert > > > _______________________________________________ > Seaside mailing list > [hidden email] > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside > Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by NorbertHartl
> yesterday I showed a colleague our webapp. He wondered about
> the "strange" URLs. The next thing he was starting to notice > that the _k parameter has something linear in it. So he > played around entering URLs as derivate from the URLs he got > from a loaded page. After 4 attempts he got the > WADispatcherEditor. I was shocked. Are you sure it was WADispatcherEditor? It could also be WADispatcherViewer which happens to be the default entry point in a standard Seaside setup. You are always taken back to the default entry point (if one is defined) when something is wrong in the url. > - What is the best way to remove WADispatcherEditor. When > I remove it it still has references and stays as AnObsolete. Have a look to the method comments in WAComponent class >> isDeployed. You may also want to disable the default entry point. HTH Michel. _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by Avi Bryant-2
On Wed, 2007-05-02 at 00:55 -0700, Avi Bryant wrote:
> On 5/2/07, Norbert Hartl <[hidden email]> wrote: > > Hi, > > > > yesterday I showed a colleague our webapp. He wondered > > about the "strange" URLs. The next thing he was starting > > to notice that the _k parameter has something linear in > > it. So he played around entering URLs as derivate from the > > URLs he got from a loaded page. After 4 attempts he got > > the WADispatcherEditor. I was shocked. > > Are you sure he actually hit upon a valid _k value? There are lots of > ways that an invalid one would have brought you by default to a > WADispatcherEditor. For example, if the session key were valid, and > that was the last page you had seen. Or, if he modified the URL to > include /config, where WADispatcherEditor is the root component. > into the path as the requests are rewritten by apache. I'm not sure he hit an actually _k value (how could I know?). > The _k values are WAExternalIDs, which are 64 bit random numbers, > generated by the standard Random class. In Squeak that's apparently a > Park-Miller generator. > > The chances of hitting upon a real _k value should be astronomically > low. You would also need to guess the right corresponding _s, which > means you're searching through a 128bit space. On Squeak I've > certainly never spotted anything linear in the values, although maybe > your friend has an eye for it which I don't. > > > > > But the _k parameter he used was > > completely different to that I had on the Dispatcher Editor. > > > > So I like to know a few things: > > > > - how is the _s and _k parameter build? Is it possible to > > get the same page (stack pointer) with two different > > _k parameters? > > Well, sort of. There's a _k for the callback actions, which then > immediately gets redirected to a new _k for rendering the page. > Either of those will basically get you to the same place. But more to > the point, as I mentioned above, if the _k is totally wrong you'll get > taken a default location, which could well have been the > WADispatcherEditor. > > > - What is the best way to remove WADispatcherEditor. When > > I remove it it still has references and stays as AnObsolete. > > You don't need to remove the class, just get rid of the config app. > You should be able to do that from within /config itself. > Yes, I found that myself. I use now: d := (WADispatcher default) . d entryPoints keys do: [ :each| (each = 'myapp') ifFalse: [ d unregister: (d entryPointAt: each) ] ] Thanks Norbert _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: spooky seaside
|
|
In reply to this post by NorbertHartl
Also, look at trimForDeployment and isDeployed, _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by Philippe Marschall
On Wed, 2007-05-02 at 10:06 +0200, Philippe Marschall wrote:
> 2007/5/2, Norbert Hartl <[hidden email]>: > > Hi, > > > > yesterday I showed a colleague our webapp. He wondered > > about the "strange" URLs. The next thing he was starting > > to notice that the _k parameter has something linear in > > it. So he played around entering URLs as derivate from the > > URLs he got from a loaded page. After 4 attempts he got > > the WADispatcherEditor. I was shocked. > > > > The only reason for this I found is that I had this page > > open in my browser. Otherwise it wouldn't be possible to > > get a page by guessing the _k parameter, right? Nothing > > really strange so far. But the _k parameter he used was > > completely different to that I had on the Dispatcher Editor. > > > > So I like to know a few things: > > > > - how is the _s and _k parameter build? Is it possible to > > get the same page (stack pointer) with two different > > _k parameters? > > - What is the best way to remove WADispatcherEditor. When > > I remove it it still has references and stays as AnObsolete. > > - Where is this session protection thing and how do I enable > > it. > > Do you mean WASessionProtector? > is sufficient? Norbert _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
Re: spooky seaside
|
|
In reply to this post by NorbertHartl
Yes, you can toggle halos to make sure its there. _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by Bany, Michel
On Wed, 2007-05-02 at 10:14 +0100, Bany, Michel wrote:
> > yesterday I showed a colleague our webapp. He wondered about > > the "strange" URLs. The next thing he was starting to notice > > that the _k parameter has something linear in it. So he > > played around entering URLs as derivate from the URLs he got > > from a loaded page. After 4 attempts he got the > > WADispatcherEditor. I was shocked. > > > Are you sure it was WADispatcherEditor? > > It could also be WADispatcherViewer which happens to be the default > entry point in a standard Seaside setup. You are always taken back to > the > default entry point (if one is defined) when something is wrong in the > url. > DispatchEditor. > > > - What is the best way to remove WADispatcherEditor. When > > I remove it it still has references and stays as AnObsolete. > > Have a look to the method comments in WAComponent class >> isDeployed. > You may also want to disable the default entry point. > Uh, that is good. New things every day. And once more... comments are good if they are read. Norbert _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
|
|
In reply to this post by NorbertHartl
On 5/2/07, Norbert Hartl <[hidden email]> wrote:
> I was unclear. He just tweaked the last parameter (the &number) Oh. So you probably had the toolbar enabled (deployment mode was set to false), which means that there was a Configure link sitting there at the bottom of the screen, and all he did was manage to come up with the URL for that link. He could equally well have just clicked it :) Avi _______________________________________________ Seaside mailing list [hidden email] http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside |
| Free forum by Nabble | Edit this page |