Oliver Bleutgen wrote at 2003-6-6 11:46 +0200: > ... > Bad properties of this implementation: > > 1. The "Join/Leave Versions" permission doesn't secure entering versions > 2. Zope doesn't care if a correspondending Version instance to the value > of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for > the value of that Zope-Version variable at all. > 3. And (minor problem, but whatever), since zope relies completely on > the browser to send cookies only the right time (i.e. that the path set > for the cookie must match a prefix of the request-URI), this might > also give unexpected results with acquisition. > > > Security implications: > > Doh, anybody who can read/write to a zope server can get it to > read/write from/to any version he likes, and the admin has no way of > anticipating that short of patching zope. Combine that with sites like > squishdot, collector.zope.org and you get chaos. > > Big plea: > > Really, this _is_ a security bug, and it should be handled that way and > fixed in 2.6.2 by any meansm, so that all(!) bad properties I listed > above are gone.
1. is difficult to change. When we had a post-authentication hook (a hook called by ZPublisher after authentication has been done), then we could check in this hook that the user has the right to enter the version. Such a hook would be extremely helpful for other applications, too. 2. would be easy to fix. I already posted an outline for the check. 3. is already implemented correctly (I think). Dieter _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )