[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Oliver Bleutgen myzope@gmx.net
Wed, 10 Apr 2002 19:14:14 +0200


Lennart Regebro wrote:
> From: "Oliver Bleutgen" <myzope@gmx.net>
> 
>>I was thinking more of something like adding the checks individually to
>>each method in stock zope for which it is appropriate.
>>
>>Brian is of course right in his other mail by stating that this might
>>and will break custom products which use the wrong method, but I
>>wouldn't call a global s/method='GET'/method='POST'/g ( SCNR ;-) ) a
>>code audit. It might be also made customizable via a command line switch
>>to z2.py in the beginning, with default to off.
>>
> 
> This would be a huge task. My gut feeling is that it is a lot of work for
> very little benefit, although I don't really have any arguments to back that
> up with.

Would it really be a huge task? Wouldn't we just have to find all 
methods which are callable through the web and add two maybe three 
identical lines of code right at the beginning?

Something like (sorry for the wrapping)
if REQUEST and REQUEST.has_key('REQUEST_METHOD') and 
REQUEST['REQUEST_METHOD'] != 'POST':
   raise APPROPRIATE_ERROR, "Appropriate message"

cheers,
oliver