Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-16 Thread Florent Guillaume
Oliver Bleutgen [EMAIL PROTECTED] wrote: Although I repeat myself, implementing this proposal would give me a lot of options to prevent myself from this kind of attack, completely or partially. - In Internet Explorer I can disable javascript. (problem solved) - In Internet Explorer I

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-15 Thread Toby Dickenson
On Friday 12 Apr 2002 7:19 pm, Jeffrey P Shell wrote: that your proposal isn't up there (or the catalog is up to its old charms ;) No, its not up there. But now, does this mean I have to go through and tag every method that might cause a state change? Or might not? You wont ever *have* to

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-12 Thread Toby Dickenson
On Thursday 11 April 2002 6:37 pm, Jeffrey P Shell wrote: On 4/11/02 7:55 AM, Toby Dickenson [EMAIL PROTECTED] Then you're lucky. Usually, any time I see dtml-var someNonIdempotentMethod(), I immediately change it to the name lookup call. Don't blame me, I've been following this paradigm for

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-12 Thread Florent Guillaume
Oliver Bleutgen [EMAIL PROTECTED] wrote: The issue of client side trojan recently came to my mind again. [..] I think zope's management methods (the potentially destructive ones) should not accept REQUESTs with REQUEST_METHOD GET. I like the idea of trying to secure that kind of things a

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-12 Thread Oliver Bleutgen
Florent Guillaume wrote: Oliver Bleutgen [EMAIL PROTECTED] wrote: The issue of client side trojan recently came to my mind again. [..] I think zope's management methods (the potentially destructive ones) should not accept REQUESTs with REQUEST_METHOD GET. I like the idea of trying to

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-12 Thread Oliver Bleutgen
Jeffrey P Shell wrote: I have to now admit to not having seen the proposal, I've just been following along here and struggling to capture the meaning of idempotent as it applies to Zope security, but I *think* I'm starting to grok it. Since a search for idempotent on zope.org yields no

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Toby Dickenson
On Wednesday 10 April 2002 5:07 pm, Brian Lloyd wrote: should not accept REQUESTs with REQUEST_METHOD GET. This is hard, hard, problem. While some good ideas have been proposed, there is not really a quick fix that doesn't have some downside that some group somewhere considers a

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Casey Duncan
Toby Dickenson wrote: [snip] 4. Change dtml to not allow dtml-var someNonIdempotentMethod, although it should still allow dtml-var someNonIdempotentMethod() Ahhh! How do you propose to do that? I see a lot of bruised foreheads resulting from this... How many problems would this cause.

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Toby Dickenson
On Thursday 11 April 2002 4:39 pm, Casey Duncan wrote: Toby Dickenson wrote: [snip] 4. Change dtml to not allow dtml-var someNonIdempotentMethod, although it should still allow dtml-var someNonIdempotentMethod() Ahhh! How do you propose to do that? I see a lot of bruised foreheads resulting

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Casey Duncan
dtml-var foo is not even close to the equivilant of dtml-var foo() The former uses mapply to comb the namespace for arguments and maps them to the callable and then calls it (if it is a callable, that is). IOW foo could have any number of arguments. The latter always calls foo with no

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Oliver Bleutgen
First, Toby, thanks for that proposal, it's indeed far more elegant than the mess I had in mind. Casey Duncan wrote: Toby Dickenson wrote: [snip] 4. Change dtml to not allow dtml-var someNonIdempotentMethod, although it should still allow dtml-var someNonIdempotentMethod() Ahhh!

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Lennart Regebro
From: Casey Duncan [EMAIL PROTECTED] My point is how do you disinguish dtml-var foo meaning Call foo passing everything from the namespace that maps to an arg from dtml-var foo meaning Call foo passing everything, but foo doesn't use anything from dtml-var foo Call foo and foo takes no

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Toby Dickenson
On Thursday 11 April 2002 5:16 pm, Casey Duncan wrote: The most troublesome case is where foo accepts any number of arguments (such as a DTML method or ZPT or any other method with **kw), and you cannot know whether it changes objects or simply returns some string or something. Yes, that is a

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Oliver Bleutgen
Casey Duncan wrote: [SNIP] Also, are we talking about only fixing the action on GET for the ZMI or for all Zope apps? If the answer is Just the ZMI then we are talking about doing something that has not been done before: Making the ZMI different from all other Zope apps. If the answer is

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-11 Thread Toby Dickenson
On Thu, 11 Apr 2002 18:53:54 +0200, Oliver Bleutgen [EMAIL PROTECTED] wrote: With the implementation of Toby's proposal (barring the dtml-var thing, which isn't needed for that, as far as I see) Correct. The dtml-var change only helps guard against a careless dtml/zpt author reopening the same

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-10 Thread Toby Dickenson
On Tue, 9 Apr 2002 13:17:40 -0400, Brian Lloyd [EMAIL PROTECTED] wrote: I think zope's management methods (the potentially destructive ones) and 'coonstructive' ones too should not accept REQUESTs with REQUEST_METHOD GET. This is hard, hard, problem. While some good ideas have been

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-10 Thread Lennart Regebro
From: Oliver Bleutgen [EMAIL PROTECTED] I think zope's management methods (the potentially destructive ones) should not accept REQUESTs with REQUEST_METHOD GET. Do you have any proposal for how to go about doing this? ___ Zope-Dev maillist -

RE: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-10 Thread Brian Lloyd
should not accept REQUESTs with REQUEST_METHOD GET. This is hard, hard, problem. While some good ideas have been proposed, there is not really a quick fix that doesn't have some downside that some group somewhere considers a showstopper :( I agree Olivers suggestion is not a total

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-10 Thread Oliver Bleutgen
Lennart Regebro wrote: From: Oliver Bleutgen [EMAIL PROTECTED] I think zope's management methods (the potentially destructive ones) should not accept REQUESTs with REQUEST_METHOD GET. Do you have any proposal for how to go about doing this? Well, I don't see how one could do that

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-10 Thread Lennart Regebro
From: Oliver Bleutgen [EMAIL PROTECTED] I was thinking more of something like adding the checks individually to each method in stock zope for which it is appropriate. Brian is of course right in his other mail by stating that this might and will break custom products which use the wrong

Re: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-10 Thread Oliver Bleutgen
Lennart Regebro wrote: From: Oliver Bleutgen [EMAIL PROTECTED] I was thinking more of something like adding the checks individually to each method in stock zope for which it is appropriate. Brian is of course right in his other mail by stating that this might and will break custom products

[Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-09 Thread Oliver Bleutgen
The issue of client side trojan recently came to my mind again. Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan I found nothing new since Oct. 2001, so I thought I bring up the issue again, maybe it's something which could be taken care of for zope = 2.6. I wrote

RE: [Zope-dev] [RFClet]: What about the request method and the client side trojan?

2002-04-09 Thread Brian Lloyd
The issue of client side trojan recently came to my mind again. Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan I found nothing new since Oct. 2001, so I thought I bring up the issue again, maybe it's something which could be taken care of for zope = 2.6. I wrote