> The issue of client side trojan recently came to my mind again. > Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan > I found nothing new since Oct. 2001, so I thought I bring up the issue > again, maybe it's something which could be taken care of for zope => 2.6. > > I wrote something about that at the wiki, but let me repeat my proposal. > > I think zope's management methods (the potentially destructive ones) > should not accept REQUESTs with REQUEST_METHOD "GET". > > This is in accordance with the http/1.1 rfc (reposted from the wiki): > > <snip RFC citation...> > > The win would be that disabling javascipt would make a client save from > this form of attack, AFAIK, OTOH I can't think of anything which would > break ATM.
While I don't necessarily disagree about making GETs idempotent, this still doesn't make you "safe", even with JS turned off. A quick example: images can be used as form submit buttons. If I can get you to visit a page and click on my innocent looking image... you're done :) This is hard, hard, problem. While some good ideas have been proposed, there is not really a quick fix that doesn't have some downside that some group somewhere considers a showstopper :( Brian Lloyd [EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )