[Zope] Security doubt
Oliver Bleutgen
myzope@gmx.net
Sat, 07 Jun 2003 00:58:05 +0200
Vladimir Petrovic wrote:
> On Friday 06 June 2003 21:36, Jamie Heilman wrote:
>
>
>>>Common wisdom seems to be to filter out .*manage.* requests in
>>>apache (search the mailing lists for that).
>>
>>Sadly if you want 100% coverage filtering on 'manage' alone won't cut
>>it thanks to
>>a) management interfaces that don't use manage anywhere
>> in the name like ZCacheable_*
>>b) type coercion done through POST requests which seems basically
>> impossible to filter out using apache
>>
>>Zope will have to be patched or a new product will have to be written
>>to enforce secure management.
>
>
> There is also a possibility of filtering authentication field when HTTP
> request passes through reverse proxy.
>
> I think that Apache doesn't suport this, but using rewrite rule it is possible
> to return unauthorized or forbidden if request contains authentication
> header. This shouldn't be a problem (if this level of security is really
> required) since browsers shouldn't send this header anyway if they haven't
> received unauthorized response and user has entered username/password.
Uhm, but at that moment it's too late, because the username and the
password have already traveled the wire in clear test, isn't it?
cheers,
oliver