small summary and big plea was:(Re: [Zope-dev] Versions: should they die?)

Dieter Maurer dieter@handshake.de
Fri, 6 Jun 2003 20:35:38 +0200


Oliver Bleutgen wrote at 2003-6-6 11:46 +0200:
 > ...
 > Bad properties of this implementation:
 > 
 > 1. The "Join/Leave Versions" permission doesn't secure entering versions
 > 2. Zope doesn't care if a correspondending Version instance to the value 
 > of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for 
 > the value of that Zope-Version variable at all.
 > 3. And (minor problem, but whatever), since zope relies completely on 
 > the browser to send cookies only the right time (i.e. that the path set 
 >   for the cookie must match a prefix of the request-URI), this might 
 > also give unexpected results with acquisition.
 > 
 > 
 > Security implications:
 > 
 > Doh, anybody who can read/write to a zope server can get it to 
 > read/write from/to any version he likes, and the admin has no way of 
 > anticipating that short of patching zope. Combine that with sites like 
 > squishdot, collector.zope.org and you get chaos.
 > 
 > Big plea:
 > 
 > Really, this _is_ a security bug, and it should be handled that way and 
 > fixed in 2.6.2 by any meansm, so that all(!) bad properties I listed 
 > above are gone.

1. is difficult to change.

   When we had a post-authentication hook (a hook called by
   ZPublisher after authentication has been done),
   then we could check in this hook that the user has
   the right to enter the version.

   Such a hook would be extremely helpful for other applications,
   too.

2. would be easy to fix. I already posted an outline for the check.

3. is already implemented correctly (I think).


Dieter