[mapguide-trac] #1351: CreateSession can generate invalid session ids
MapGuide Open Source
trac_mapguide at osgeo.org
Fri May 7 07:55:32 EDT 2010
#1351: CreateSession can generate invalid session ids
-------------------------+--------------------------------------------------
Reporter: jng | Owner:
Type: defect | Status: new
Priority: low | Milestone:
Component: Map Agent | Version: 2.2.0
Severity: trivial | Keywords:
External_id: |
-------------------------+--------------------------------------------------
The recent security patches for the AJAX viewer imposed the following
pattern restriction on MapGuide session ids:
00000000-0000-0000-0000-000000000000_aa_00000000000000000000
The "aa" component is the locale when the CREATESESSION mapagent call is
made. However if a custom LOCALE parameter is passed which is not 2
characters (eg. en-US), then that is actually incorporated into the
generated session id itself, making it unusable when it is passed to the
AJAX viewer.
Attached is a modified mapagent form for the CREATESESSION operation.
Steps to reproduce:
1. Load the modified form
2. Specify a LOCALE greater than 2 characters (eg. en-US)
3. Invoke the CREATESESSION operation
4. Open any WebLayout using this generated session id
5. You will get a http authentication prompt because the generated id
fails the pattern check.
The LOCALE parameter should either be rejected or validated to ensure it
is 2 characters wide.
--
Ticket URL: <http://trac.osgeo.org/mapguide/ticket/1351>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals
More information about the mapguide-trac
mailing list