[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Oliver Bleutgen myzope@gmx.net
Thu, 11 Apr 2002 18:53:54 +0200


Casey Duncan wrote:
[SNIP]
> 
> Also, are we talking about only fixing the "action on GET" for the ZMI 
> or for all Zope apps? If the answer is "Just the ZMI" then we are 
> talking about doing something that has not been done before: Making the 
> ZMI different from all other Zope apps. If the answer is "All Zope Apps" 
> then I fear you have just broken every Zope app I have ever seen 8^).

But as I read here it is planned for Zope3 to change the ZMI anyway, 
which will at least break the look&feel of any zope app which integrates 
with the ZMI, and therefore will make the ZMI different from zope apps. 
I guess there might be more breakage. So sometime in the future 
application writers will have to upgrade their apps anyway. And Tob
As I understand Toby's proposal, you have to explicitly declare if your 
method can only be invoked via POST, not the other way around. So it's 
optional for the applications, as long as they don't pass the 
"GET-polluted" REQUEST to ZMI methods.


> 
> If I were to implement this, a very simple approach seems attractive: 
> Lock the ZODB on GET requests so that no transactions can be committed. 
> However, I'm not sure I want to go there.

No, I would like the application writer to be able to write "unsafe" 
methods. It's also quite a mess today (at least IMO) how version cookies 
are capable of messing around with the ZODB in suprising and (IMO) 
unwanted ways.

I may have some strong feelings about this security stuff, but it's not 
too hard to give a scenario where zope's promiscuity in this respect can 
have really ugly effects - and it doesn't need much imagination.
With the implementation of Toby's proposal (barring the dtml-var thing, 
which isn't needed for that, as far as I see), one could at least be 
secure when javascript is disabled.
Maybe browser writers one day will wake up and also follow the 
recommendations of the rfc, then zope will be there already.

Ok, my knowledge of zope's innards stops quite before ZPublisher comes 
into play, not to talk about Zope 3, but I'm willing to offer help where 
it's possible. What can I do now?


cheers,
oliver