Log message for revision 73424: Issue #2294: 'requestmethod' protection for DOS-able ControlPanel methods.
Changed: U Zope/trunk/doc/CHANGES.txt U Zope/trunk/lib/python/App/ApplicationManager.py -=- Modified: Zope/trunk/doc/CHANGES.txt =================================================================== --- Zope/trunk/doc/CHANGES.txt 2007-03-21 14:48:31 UTC (rev 73423) +++ Zope/trunk/doc/CHANGES.txt 2007-03-21 15:01:50 UTC (rev 73424) @@ -88,6 +88,14 @@ Bugs Fixed + - Collector #2294: Protected DOS-able ControlPanel methods with the + same 'requestmethod' wrapper. + + - Collector #2294: Protected various security mutators with a new + 'postonly' decorator. The decorator limits method publishing to + POST requests only, and is a backport from Zope 2.11's requestmethod + decorator factory. + - Collector #2289: restored compatiblity with PTProfiler - No longer opens a zodb connection every time a ProductDispatcher Modified: Zope/trunk/lib/python/App/ApplicationManager.py =================================================================== --- Zope/trunk/lib/python/App/ApplicationManager.py 2007-03-21 14:48:31 UTC (rev 73423) +++ Zope/trunk/lib/python/App/ApplicationManager.py 2007-03-21 15:01:50 UTC (rev 73424) @@ -30,6 +30,7 @@ from version_txt import version_txt from cStringIO import StringIO from AccessControl import getSecurityManager +from AccessControl.requestmethod import postonly from zExceptions import Redirect from Products.PageTemplates.PageTemplateFile import PageTemplateFile from cgi import escape @@ -388,6 +389,7 @@ if os.environ.has_key('ZMANAGED'): manage_restartable=1 + @postonly def manage_restart(self, URL1): """Shut down the application""" try: @@ -403,7 +405,8 @@ <body>Zope is restarting</body></html> """ % escape(URL1, 1) - def manage_shutdown(self): + @postonly + def manage_shutdown(self, REQUEST=None): """Shut down the application""" try: user = '"%s"' % getSecurityManager().getUser().getUserName() @@ -418,6 +421,7 @@ <body>Zope is shutting down</body></html> """ + @postonly def manage_pack(self, days=0, REQUEST=None): """Pack the database""" @@ -472,6 +476,7 @@ r.append({'id': v}) return r + @postonly def manage_saveVersions(self, versions, REQUEST=None): "Commit some versions" db=self._p_jar.db() @@ -480,6 +485,7 @@ if REQUEST is not None: REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main') + @postonly def manage_discardVersions(self, versions, REQUEST=None): "Discard some versions" db=self._p_jar.db() _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins