[Zope] taking ownership requires HTTP_REFERER; and more

Dieter Maurer dieter at handshake.de
Wed Sep 15 15:03:38 EDT 2004


Fred Yankowski wrote at 2004-9-14 17:36 -0500:
> ...
>So I logged in to the ZMI as a non-admin Manager user and tried to
>take ownership of the portal_skins folder (and all content below it).
>That resulted in Insufficient Privileges too.  The error_log entry had
>this:
>
>    Unauthorized: manage_takeOwnership was called from an invalid context
>
>That method requires the HTTP_REFERER value from the request to do its
>work.  (Why?  Is that really to be trusted?)  I typically access sites
>via a proxy (junkbuster) that removes the HTTP_REFERER header and so I
>was hosed.

A long time ago,
there has been a discussion how to make management operations a bit
safer. One proposal has been to accept management actions only
when they come from the same site. Apparently, someone followed
the proposal in the implementation of "manage_takeOwnership".
I doubt that is was a good idea.

-- 
Dieter


More information about the Zope mailing list