WCF查询拦截器：这个MSDN示例是否存在安全隐患？ [英] WCF Query Interceptors: Is this MSDN sample a security risk?

问题描述

如果您查看此 MSDN文档，则会显示一个示例以下代码：

If you look at this MSDN documentation there is a sample with the following code:

// Define a change interceptor for the Products entity set.
[ChangeInterceptor("Products")]
public void OnChangeProducts(Product product, UpdateOperations operations)
{
    if (operations == UpdateOperations.Add ||
       operations == UpdateOperations.Change)
    {
        // Reject changes to discontinued products.
        if (product.Discontinued)  //<-- IS THIS BASED ON UNVERIFIED CLIENT DATA???
        {
            throw new DataServiceException(400,
                        "A discontinued product cannot be modified");
        }
    }
    else if (operations == UpdateOperations.Delete)
    {
        // Block the delete and instead set the Discontinued flag.
        throw new DataServiceException(400, 
            "Products cannot be deleted; instead set the Discontinued flag to 'true'"); 
    }
}

查看所有CAPS中的注释。我的问题是：这行是否取决于客户端提供的数据...如果是，我们可以做些什么来进行安全验证？

Look at the comment in all CAPS. My question is: "Is that line dependent on client supplied data... and if so, what can we do to have a secure validation"?

推荐答案

更改拦截器应该在客户端的修改被应用到之后获取实体。所以行为取决于提供者。如果您的提供实现此属性为只读（通常意味着任何更新将被忽略），则上述检查没有问题。我同意，尽管如此，样本在这方面可能会更好。
另外取决于您的提供者，如果此属性不是只读的，则需要向提供商询问未更改/前一个值。这样做取决于提供者。所以如果是EF，这更像是一个EF问题，如何确定修改后的属性的原始值（实体实例将在当前数据源中被跟踪）。

The change interceptor should get the entity AFTER the modifications from the client were applied to it. So the behavior depends on the provider. If your provide implements this property as read-only (which usually means any updates to it are ignored), then there's no problem with the above check. I do agree the sample could be better in this regard though. Also depending on your provider, if this property is not read-only, you need to ask the provider for the unchanged/previous value. The way to do that depends on the provider. So if it's EF, this is more of an EF question how to determine the original value of a modified property (The entity instance will be tracked on the current data source).

这篇关于WCF查询拦截器：这个MSDN示例是否存在安全隐患？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！