Changeset 374 for trunk/grails-app/taglib

Timestamp:

Apr 23, 2010, 11:02:31 AM (11 years ago)

Author:

duh

Message:

• added crypto plugin
• implemented blowfish encryption in Wizard Tag Library
• implemented blowfish descryption in TemplateEditorController?
• added shared secret configuration to Config.groovy

File:

• trunk/grails-app/taglib/dbnp/studycapturing/WizardTagLib.groovy (modified) (2 diffs)

trunk/grails-app/taglib/dbnp/studycapturing/WizardTagLib.groovy

@@ -4 +4 @@
 import dbnp.studycapturing.*
 import dbnp.data.*
+import cr.co.arquetipos.crypto.Blowfish
 
 /**
@@ -564 +565 @@
                 def entity = attrs.remove('entity')
 
-                // add the entity class name to the element as
-                // a base64 encoded string.
-                // TODO: encrypt this, instead of using base64!
-                //       As this class is instantiated elsewhere
-                //       this is a security hazard!
-                //               @see TemplateEditorController
-                attrs['entity'] = entity.toString().replaceAll(/^class /,'').bytes.encodeBase64()
+                // add the entity class name to the element
+                // do we have crypto information available?
+                if (grailsApplication.config.crypto) {
+                        // generate a Blowfish encrypted and Base64 encoded string.
+                        attrs['entity'] = Blowfish.encryptBase64(
+                                entity.toString().replaceAll(/^class /, ''),
+                                grailsApplication.config.crypto.shared.secret
+                        )
+                } else {
+                        // base64 only; this is INSECURE! As this class
+                        // is instantiated elsewehere. Possibly exploitable!
+                        attrs['entity'] = entity.toString().replaceAll(/^class /, '').bytes.encodeBase64()
+                }
 
                 // fetch templates