[Zope-Checkins] SVN: Zope/branches/2.10/ ssue #2294: 'requestmethod' protection for DOS-able ControlPanel methods.

Tres Seaver tseaver at palladion.com
Wed Mar 21 10:48:31 EDT 2007


Log message for revision 73423:
  ssue #2294:  'requestmethod' protection for DOS-able ControlPanel methods.

Changed:
  U   Zope/branches/2.10/doc/CHANGES.txt
  U   Zope/branches/2.10/lib/python/App/ApplicationManager.py

-=-
Modified: Zope/branches/2.10/doc/CHANGES.txt
===================================================================
--- Zope/branches/2.10/doc/CHANGES.txt	2007-03-21 14:37:27 UTC (rev 73422)
+++ Zope/branches/2.10/doc/CHANGES.txt	2007-03-21 14:48:31 UTC (rev 73423)
@@ -8,10 +8,14 @@
 
     Bugs fixed
 
-      - Protected various security mutators with a new postonly decorator.
-        The decorator limits method publishing to POST requests only, and
-        is a backport from Zope 2.11's requestmethod decorator factory.
+      - Collector #2294: Protected DOS-able ControlPanel methods with the
+        same 'requestmethod' wrapper.
 
+      - Collector #2294: Protected various security mutators with a new
+        'postonly' decorator.  The decorator limits method publishing to
+        POST requests only, and is a backport from Zope 2.11's requestmethod
+        decorator factory.
+
       - Collector #2289: restored compatibility with PTProfiler
     
       - No longer opens a zodb connection every time a ProductDispatcher

Modified: Zope/branches/2.10/lib/python/App/ApplicationManager.py
===================================================================
--- Zope/branches/2.10/lib/python/App/ApplicationManager.py	2007-03-21 14:37:27 UTC (rev 73422)
+++ Zope/branches/2.10/lib/python/App/ApplicationManager.py	2007-03-21 14:48:31 UTC (rev 73423)
@@ -30,6 +30,7 @@
 from version_txt import version_txt
 from cStringIO import StringIO
 from AccessControl import getSecurityManager
+from AccessControl.requestmethod import postonly
 from zExceptions import Redirect
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from cgi import escape
@@ -388,6 +389,7 @@
 
     if os.environ.has_key('ZMANAGED'):
         manage_restartable=1
+        @postonly
         def manage_restart(self, URL1):
             """Shut down the application"""
             try:
@@ -403,7 +405,8 @@
             <body>Zope is restarting</body></html>
             """ % escape(URL1, 1)
 
-    def manage_shutdown(self):
+    @postonly
+    def manage_shutdown(self, REQUEST=None):
         """Shut down the application"""
         try:
             user = '"%s"' % getSecurityManager().getUser().getUserName()
@@ -418,6 +421,7 @@
         <body>Zope is shutting down</body></html>
         """
 
+    @postonly
     def manage_pack(self, days=0, REQUEST=None):
         """Pack the database"""
 
@@ -472,6 +476,7 @@
             r.append({'id': v})
         return r
 
+    @postonly
     def manage_saveVersions(self, versions, REQUEST=None):
         "Commit some versions"
         db=self._p_jar.db()
@@ -480,6 +485,7 @@
         if REQUEST is not None:
             REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
 
+    @postonly
     def manage_discardVersions(self, versions, REQUEST=None):
         "Discard some versions"
         db=self._p_jar.db()



More information about the Zope-Checkins mailing list