Oliver Bleutgen [EMAIL PROTECTED] wrote:
Although I repeat myself, implementing this proposal would give me a lot
of options to prevent myself from this kind of attack, completely or
partially.
- In Internet Explorer I can disable javascript. (problem solved)
- In Internet Explorer I
On Friday 12 Apr 2002 7:19 pm, Jeffrey P Shell wrote:
that your proposal isn't up there (or the catalog is up to its old charms ;)
No, its not up there.
But now, does this mean I have to go through and tag every method that might
cause a state change? Or might not?
You wont ever *have* to
On Thursday 11 April 2002 6:37 pm, Jeffrey P Shell wrote:
On 4/11/02 7:55 AM, Toby Dickenson [EMAIL PROTECTED]
Then you're lucky. Usually, any time I see dtml-var
someNonIdempotentMethod(), I immediately change it to the name lookup
call. Don't blame me, I've been following this paradigm for
Oliver Bleutgen [EMAIL PROTECTED] wrote:
The issue of client side trojan recently came to my mind again.
[..]
I think zope's management methods (the potentially destructive ones)
should not accept REQUESTs with REQUEST_METHOD GET.
I like the idea of trying to secure that kind of things a
Florent Guillaume wrote:
Oliver Bleutgen [EMAIL PROTECTED] wrote:
The issue of client side trojan recently came to my mind again.
[..]
I think zope's management methods (the potentially destructive ones)
should not accept REQUESTs with REQUEST_METHOD GET.
I like the idea of trying to
Jeffrey P Shell wrote:
I have to now admit to not having seen the proposal, I've just been
following along here and struggling to capture the meaning of idempotent
as it applies to Zope security, but I *think* I'm starting to grok it.
Since a search for idempotent on zope.org yields no
On Wednesday 10 April 2002 5:07 pm, Brian Lloyd wrote:
should not accept REQUESTs with REQUEST_METHOD GET.
This is hard, hard, problem. While some good ideas have been
proposed, there is not really a quick fix that doesn't have
some downside that some group somewhere considers a
Toby Dickenson wrote:
[snip]
4. Change dtml to not allow dtml-var someNonIdempotentMethod, although it
should still allow dtml-var someNonIdempotentMethod()
Ahhh!
How do you propose to do that? I see a lot of bruised foreheads
resulting from this...
How many problems would this cause.
dtml-var foo is not even close to the equivilant of dtml-var foo()
The former uses mapply to comb the namespace for arguments and maps them
to the callable and then calls it (if it is a callable, that is). IOW
foo could have any number of arguments. The latter always calls foo with
no
First, Toby, thanks for that proposal, it's indeed far more elegant than
the mess I had in mind.
Casey Duncan wrote:
Toby Dickenson wrote:
[snip]
4. Change dtml to not allow dtml-var someNonIdempotentMethod,
although it should still allow dtml-var someNonIdempotentMethod()
Ahhh!
From: Casey Duncan [EMAIL PROTECTED]
My point is how do you disinguish dtml-var foo meaning Call foo
passing everything from the namespace that maps to an arg from
dtml-var foo meaning Call foo passing everything, but foo doesn't use
anything from dtml-var foo Call foo and foo takes no
On Thursday 11 April 2002 5:16 pm, Casey Duncan wrote:
The most troublesome case is where foo accepts any number of arguments
(such as a DTML method or ZPT or any other method with **kw), and you
cannot know whether it changes objects or simply returns some string or
something.
Yes, that is a
Casey Duncan wrote:
[SNIP]
Also, are we talking about only fixing the action on GET for the ZMI
or for all Zope apps? If the answer is Just the ZMI then we are
talking about doing something that has not been done before: Making the
ZMI different from all other Zope apps. If the answer is
On Thu, 11 Apr 2002 18:53:54 +0200, Oliver Bleutgen [EMAIL PROTECTED]
wrote:
With the implementation of Toby's proposal (barring the dtml-var thing,
which isn't needed for that, as far as I see)
Correct. The dtml-var change only helps guard against a careless
dtml/zpt author reopening the same
On Tue, 9 Apr 2002 13:17:40 -0400, Brian Lloyd [EMAIL PROTECTED]
wrote:
I think zope's management methods (the potentially destructive ones)
and 'coonstructive' ones too
should not accept REQUESTs with REQUEST_METHOD GET.
This is hard, hard, problem. While some good ideas have been
From: Oliver Bleutgen [EMAIL PROTECTED]
I think zope's management methods (the potentially destructive ones)
should not accept REQUESTs with REQUEST_METHOD GET.
Do you have any proposal for how to go about doing this?
___
Zope-Dev maillist -
should not accept REQUESTs with REQUEST_METHOD GET.
This is hard, hard, problem. While some good ideas have been
proposed, there is not really a quick fix that doesn't have
some downside that some group somewhere considers a
showstopper :(
I agree Olivers suggestion is not a total
Lennart Regebro wrote:
From: Oliver Bleutgen [EMAIL PROTECTED]
I think zope's management methods (the potentially destructive ones)
should not accept REQUESTs with REQUEST_METHOD GET.
Do you have any proposal for how to go about doing this?
Well, I don't see how one could do that
From: Oliver Bleutgen [EMAIL PROTECTED]
I was thinking more of something like adding the checks individually to
each method in stock zope for which it is appropriate.
Brian is of course right in his other mail by stating that this might
and will break custom products which use the wrong
Lennart Regebro wrote:
From: Oliver Bleutgen [EMAIL PROTECTED]
I was thinking more of something like adding the checks individually to
each method in stock zope for which it is appropriate.
Brian is of course right in his other mail by stating that this might
and will break custom products
The issue of client side trojan recently came to my mind again.
Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan
I found nothing new since Oct. 2001, so I thought I bring up the issue
again, maybe it's something which could be taken care of for zope = 2.6.
I wrote
The issue of client side trojan recently came to my mind again.
Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan
I found nothing new since Oct. 2001, so I thought I bring up the issue
again, maybe it's something which could be taken care of for zope = 2.6.
I wrote
22 matches
Mail list logo