id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc 2038,Taglibs in web client may leak information,Nicklas Nordborg,Nicklas Nordborg,"I am not sure how critical this is but some taglibs used by the BASE web client have instance variables that are automatically set in some circumstances but never touched in other cases. Since taglib instances are re-used this may cause information to leak from one usage of a taglib to another. An example: The [source:/branches/3.9-stable/src/clients/web/net/sf/basedb/clients/web/taglib/Page.java ] taglib is used on almost all pages in the web client. If there are skin extensions installed the `skinContext` variable is initialized unless the `noskin` attribute is set. If a page is setting `noskin=false` a new skin context is not created, but if there is an existing instance it will not cleared. This instance may belong to another user that just happens to be logged in at the same time. Since the `SessionControl` is accessible from the `skinContext` variable there is a risk that the session control for the other user is leaked to a different user. A malicious page may use this to get hold of a session control belonging to a server administrator and then do bad stuff. Well, the main risk is that we are mixing up session controls in our own code and that users suddenly can access information that the would normally not be able to. It should be relatively easy to fix this kind of problem by making sure that sensitive instance variables are reset in the `setPageContext()` method that is always called before using a taglib for a new page request. ",defect,closed,major,BASE 3.10,web,,fixed,,