[cl-weblocks-ticket] Re: #45: Don't use gensym for actions to avoid XSS attacks
cl-weblocks
cl-weblocks-devel at common-lisp.net
Mon Aug 6 05:29:34 UTC 2007
#45: Don't use gensym for actions to avoid XSS attacks
------------------------+---------------------------------------------------
Reporter: anonymous | Owner: sakhmechet
Type: defect | Status: closed
Priority: medium | Milestone: 0.1
Component: weblocks | Version: pre-0.1
Resolution: fixed | Keywords: security
------------------------+---------------------------------------------------
Changes (by sakhmechet):
* resolution: => fixed
* status: new => closed
Comment:
Fixed. I implemented approach 3 - action names should now be very hard to
guess. I generate a random block of text, hash it with MD5 (to ensure an
attacker can't crack the random number generator), and prepend it with a
gensym counter (to avoid a very unlikely event of two MD5-encoding action
names clashing in the same session).
--
Ticket URL: <http://trac.common-lisp.net/cl-weblocks/ticket/45>
cl-weblocks <http://common-lisp.net/project/cl-weblocks>
cl-weblocks
More information about the Cl-weblocks-ticket
mailing list