On Tue, 9 Apr 2002 13:17:40 -0400, Brian Lloyd [EMAIL PROTECTED]
wrote:
I think zope's management methods (the potentially destructive ones)
and 'coonstructive' ones too
should not accept REQUESTs with REQUEST_METHOD GET.
This is hard, hard, problem. While some good ideas have been
From: Oliver Bleutgen [EMAIL PROTECTED]
I think zope's management methods (the potentially destructive ones)
should not accept REQUESTs with REQUEST_METHOD GET.
Do you have any proposal for how to go about doing this?
___
Zope-Dev maillist -
The idea is to allow user to specify several points of presence (pop)
for an object. Does this break security? Probably yes, but in what case?
If an object from higly secure envionment appeared somewhere in
Anonymous zone, what then? Yes, Anonymous is able to alter object. But
there was
On Wed, 10 Apr 2002 01:30:56 +0300, Myroslav Opyr
[EMAIL PROTECTED] wrote:
Is Anonymous able to get out of the shared
object to secure environment?
User X is designated as a manager of folder /Xfolder. In todays Zope
/Xfolder is a secure environment He has no authority over objects
outside
At 01:30 10-04-2002 +0300, Myroslav Opyr wrote:
Ok. Let's find out what we have and what we want. First of all we have
strict hierarchy in ZODB where each object appears only once in the
tree. Thus to access to an object it is only one way from root down to
an object through containers.
The
At 10:06 10-04-2002 -0400, Brian Lloyd wrote:
What is wrong with leaving this as an add-on product? Why does
it _need_ to be a part of the core at all? Useful products are
useful, whether or not they come with Zope, and there are
plenty of very useful products that don't come built in.
I
At 15:12 10-04-2002 +0100, Toby Dickenson wrote:
User X is designated as a manager of folder /Xfolder. In todays Zope
/Xfolder is a secure environment He has no authority over objects
outside that folder, thanks to aq_inContextOf
Can he create links to objects outside that folder?
No, he
should not accept REQUESTs with REQUEST_METHOD GET.
This is hard, hard, problem. While some good ideas have been
proposed, there is not really a quick fix that doesn't have
some downside that some group somewhere considers a
showstopper :(
I agree Olivers suggestion is not a total
Support for X-HTTPD-FORWARDED-FOR
Code for this is pretty simple:
modify 2 files, ZServer/medusa/http_server.py and
lib/python/AccessControl/User.py
1. To put the proxy-passed ip address in the zserver log,
Around line 269 in ZServer/medusa/http_server.py, add a method
Lennart Regebro wrote:
From: Oliver Bleutgen [EMAIL PROTECTED]
I think zope's management methods (the potentially destructive ones)
should not accept REQUESTs with REQUEST_METHOD GET.
Do you have any proposal for how to go about doing this?
Well, I don't see how one could do that
From: Oliver Bleutgen [EMAIL PROTECTED]
I was thinking more of something like adding the checks individually to
each method in stock zope for which it is appropriate.
Brian is of course right in his other mail by stating that this might
and will break custom products which use the wrong
Jim Washington wrote:
2. If we want to get fancy about allowing authentication using that ip
address like naked ZServers can do,
In lib/python/AccessControl/User.py, around line 1116,
change
if request.has_key('REMOTE_ADDR'):
addr=request['REMOTE_ADDR']
to
if
Lennart Regebro wrote:
From: Oliver Bleutgen [EMAIL PROTECTED]
I was thinking more of something like adding the checks individually to
each method in stock zope for which it is appropriate.
Brian is of course right in his other mail by stating that this might
and will break custom products
On Wed, Apr 10, 2002 at 06:59:38PM +0200, Oliver Bleutgen wrote:
Jim Washington wrote:
2. If we want to get fancy about allowing authentication using that ip
address like naked ZServers can do,
In lib/python/AccessControl/User.py, around line 1116,
change
if
Correct me if I'm wrong, but this IMO makes spoofing against a naked
ZServer a childs play. It's just adding a custom header to the request.
I also doubt that every reverse proxy overwrites this header, so
zservers behind a proxy might also be hit.
Note: this is using another web server to
15 matches
Mail list logo