[Zope-Checkins] CVS: Zope/lib/python/webdav - LockItem.py:1.4.2.2

Andreas Jung andreas@digicool.com
Wed, 9 Jan 2002 13:33:09 -0500


Update of /cvs-repository/Zope/lib/python/webdav
In directory cvs.zope.org:/tmp/cvs-serv21326/python/webdav

Modified Files:
      Tag: Zope-2_5-branch
	LockItem.py 
Log Message:
Added additional protection for webdav clients sending
a 'lockdiscovery' request without proper authorization. This fix checks
the authenticated user against the lock owner. If they don't match,
Zope will send a faked token back. This protection is mainly necessary
to procted Zope against the 'steal' command of cadaver.


=== Zope/lib/python/webdav/LockItem.py 1.4.2.1 => 1.4.2.2 ===
         return self._lockscope
 
-    def asLockDiscoveryProperty(self, ns='d'):
+    def asLockDiscoveryProperty(self, ns='d',fake=0):
+
+        if fake: token = 'this-is-a-faked-no-permission-token'
+        else:    token = self._token
         s = (' <%(ns)s:activelock>\n'
              '  <%(ns)s:locktype><%(ns)s:%(locktype)s/></%(ns)s:locktype>\n'
              '  <%(ns)s:lockscope><%(ns)s:%(lockscope)s/></%(ns)s:lockscope>\n'
@@ -160,11 +163,17 @@
                'depth': self._depth,
                'owner': self._owner,
                'timeout': self.getTimeoutString(),
-               'locktoken': self._token,
+               'locktoken': token,
                }
         return s
 
     def asXML(self):
+        import traceback
+        try:
+            a=1/0
+        except:
+            traceback.print_exc() 
+
         s = """<?xml version="1.0" encoding="utf-8" ?>
 <d:prop xmlns:d="DAV:">
  <d:lockdiscovery>