- Timestamp:
- Apr 23, 2010, 11:02:31 AM (9 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/grails-app/controllers/dbnp/studycapturing/TemplateEditorController.groovy
r373 r374 16 16 import dbnp.data.* 17 17 import dbnp.studycapturing.* 18 import cr.co.arquetipos.crypto.Blowfish 18 19 19 20 class TemplateEditorController { … … 26 27 if (params.entity) { 27 28 // decode entity get parameter 28 entity = new String(params.entity.toString().decodeBase64()) 29 if (grailsApplication.config.crypto) { 30 // generate a Blowfish encrypted and Base64 encoded string. 31 entity = Blowfish.decryptBase64( 32 params.entity, 33 grailsApplication.config.crypto.shared.secret 34 ) 35 } else { 36 // base64 only; this is INSECURE! Even though it is not 37 // very likely, it is possible to exploit this and have 38 // Grails dynamically instantiate whatever class you like. 39 // If that constructor does something harmfull this could 40 // be dangerous. Hence, use encryption (above) instead... 41 entity = new String(params.entity.toString().decodeBase64()) 42 } 29 43 } 30 44
Note: See TracChangeset
for help on using the changeset viewer.