如果你看看this MSDN文档没有与下面的代码示例:WCF查询拦截器:此MSDN是否存在安全风险?
// Define a change interceptor for the Products entity set.
[ChangeInterceptor("Products")]
public void OnChangeProducts(Product product, UpdateOperations operations)
{
if (operations == UpdateOperations.Add ||
operations == UpdateOperations.Change)
{
// Reject changes to discontinued products.
if (product.Discontinued) //<-- IS THIS BASED ON UNVERIFIED CLIENT DATA???
{
throw new DataServiceException(400,
"A discontinued product cannot be modified");
}
}
else if (operations == UpdateOperations.Delete)
{
// Block the delete and instead set the Discontinued flag.
throw new DataServiceException(400,
"Products cannot be deleted; instead set the Discontinued flag to 'true'");
}
}
看全部大写的评论。我的问题是:“这条线是否依赖于客户端提供的数据......如果是这样,我们可以做些什么来进行安全验证”?
感谢您报告文档中可能存在的问题! – 2010-11-11 07:07:18