Changeset 374 for trunk/grails-app/controllers/dbnp/studycapturing/TemplateEditorController.groovy

Timestamp:

Apr 23, 2010, 11:02:31 AM (9 years ago)

Author:

duh

Message:

• added crypto plugin
• implemented blowfish encryption in Wizard Tag Library
• implemented blowfish descryption in TemplateEditorController?
• added shared secret configuration to Config.groovy

File:

• trunk/grails-app/controllers/dbnp/studycapturing/TemplateEditorController.groovy (modified) (2 diffs)

trunk/grails-app/controllers/dbnp/studycapturing/TemplateEditorController.groovy

@@ -16 +16 @@
 import dbnp.data.*
 import dbnp.studycapturing.*
+import cr.co.arquetipos.crypto.Blowfish
 
 class TemplateEditorController {
@@ -26 +27 @@
                 if (params.entity) {
                         // decode entity get parameter
-                        entity = new String(params.entity.toString().decodeBase64())
+                        if (grailsApplication.config.crypto) {
+                                // generate a Blowfish encrypted and Base64 encoded string.
+                                entity = Blowfish.decryptBase64(
+                                        params.entity,
+                                        grailsApplication.config.crypto.shared.secret
+                                )
+                        } else {
+                                // base64 only; this is INSECURE! Even though it is not
+                                // very likely, it is possible to exploit this and have
+                                // Grails dynamically instantiate whatever class you like.
+                                // If that constructor does something harmfull this could
+                                // be dangerous. Hence, use encryption (above) instead...
+                                entity = new String(params.entity.toString().decodeBase64())
+                        }
                 }