[Seaside] spooky seaside
norbert at hartl.name
Wed May 2 14:01:08 UTC 2007
On Wed, 2007-05-02 at 00:55 -0700, Avi Bryant wrote:
> On 5/2/07, Norbert Hartl <norbert at hartl.name> wrote:
> > Hi,
> > yesterday I showed a colleague our webapp. He wondered
> > about the "strange" URLs. The next thing he was starting
> > to notice that the _k parameter has something linear in
> > it. So he played around entering URLs as derivate from the
> > URLs he got from a loaded page. After 4 attempts he got
> > the WADispatcherEditor. I was shocked.
> Are you sure he actually hit upon a valid _k value? There are lots of
> ways that an invalid one would have brought you by default to a
> WADispatcherEditor. For example, if the session key were valid, and
> that was the last page you had seen. Or, if he modified the URL to
> include /config, where WADispatcherEditor is the root component.
Yes, I had the page open on my laptop. He couldn't get a /config
into the path as the requests are rewritten by apache. I'm not
sure he hit an actually _k value (how could I know?).
> The _k values are WAExternalIDs, which are 64 bit random numbers,
> generated by the standard Random class. In Squeak that's apparently a
> Park-Miller generator.
> The chances of hitting upon a real _k value should be astronomically
> low. You would also need to guess the right corresponding _s, which
> means you're searching through a 128bit space. On Squeak I've
> certainly never spotted anything linear in the values, although maybe
> your friend has an eye for it which I don't.
I was unclear. He just tweaked the last parameter (the &number)
> > But the _k parameter he used was
> > completely different to that I had on the Dispatcher Editor.
> > So I like to know a few things:
> > - how is the _s and _k parameter build? Is it possible to
> > get the same page (stack pointer) with two different
> > _k parameters?
> Well, sort of. There's a _k for the callback actions, which then
> immediately gets redirected to a new _k for rendering the page.
> Either of those will basically get you to the same place. But more to
> the point, as I mentioned above, if the _k is totally wrong you'll get
> taken a default location, which could well have been the
OK, I'll check that.
> > - What is the best way to remove WADispatcherEditor. When
> > I remove it it still has references and stays as AnObsolete.
> You don't need to remove the class, just get rid of the config app.
> You should be able to do that from within /config itself.
Yes, I found that myself. I use now:
d := (WADispatcher default) .
d entryPoints keys do: [
(each = 'myapp') ifFalse: [
d unregister: (d entryPointAt: each)
More information about the Seaside