[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Oliver Bleutgen myzope@gmx.net
Wed, 10 Apr 2002 18:06:02 +0200


Lennart Regebro wrote:
> From: "Oliver Bleutgen" <myzope@gmx.net>
> 
>>I think zope's management methods (the potentially destructive ones) 
>>should not accept REQUESTs with REQUEST_METHOD "GET".
>>
> 
> Do you have any proposal for how to go about doing this?


Well, I don't see how one could do that systematically, by what I mean 
doing it on a single point and be done for all methods.
I am not too intimate with the deeper innards of zope (ZPublisher & ZODB 
etc.), but I suspect it would be nearly impossible to decide, in a sane 
way, what would constitute an active (i.e. destructive or constructve) 
method.
A method that causes a write to the ZODB? No, that wouldn't fly.

I was thinking more of something like adding the checks individually to 
each method in stock zope for which it is appropriate.

Brian is of course right in his other mail by stating that this might 
and will break custom products which use the wrong method, but I 
wouldn't call a global s/method='GET'/method='POST'/g ( SCNR ;-) ) a 
code audit. It might be also made customizable via a command line switch 
to z2.py in the beginning, with default to off.

cheers,
oliver