问题
If you look at this MSDN documentation there is a sample with the following code:
// Define a change interceptor for the Products entity set.
[ChangeInterceptor("Products")]
public void OnChangeProducts(Product product, UpdateOperations operations)
{
if (operations == UpdateOperations.Add ||
operations == UpdateOperations.Change)
{
// Reject changes to discontinued products.
if (product.Discontinued) //<-- IS THIS BASED ON UNVERIFIED CLIENT DATA???
{
throw new DataServiceException(400,
"A discontinued product cannot be modified");
}
}
else if (operations == UpdateOperations.Delete)
{
// Block the delete and instead set the Discontinued flag.
throw new DataServiceException(400,
"Products cannot be deleted; instead set the Discontinued flag to 'true'");
}
}
Look at the comment in all CAPS. My question is: "Is that line dependent on client supplied data... and if so, what can we do to have a secure validation"?
回答1:
The change interceptor should get the entity AFTER the modifications from the client were applied to it. So the behavior depends on the provider. If your provide implements this property as read-only (which usually means any updates to it are ignored), then there's no problem with the above check. I do agree the sample could be better in this regard though. Also depending on your provider, if this property is not read-only, you need to ask the provider for the unchanged/previous value. The way to do that depends on the provider. So if it's EF, this is more of an EF question how to determine the original value of a modified property (The entity instance will be tracked on the current data source).
来源:https://stackoverflow.com/questions/4150669/wcf-query-interceptors-is-this-msdn-sample-a-security-risk