Oliver Bleutgen wrote at 2003-6-6 11:46 +0200:
 > ...
 > Bad properties of this implementation:
 > 1. The "Join/Leave Versions" permission doesn't secure entering versions
 > 2. Zope doesn't care if a correspondending Version instance to the value 
 > of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for 
 > the value of that Zope-Version variable at all.
 > 3. And (minor problem, but whatever), since zope relies completely on 
 > the browser to send cookies only the right time (i.e. that the path set 
 >   for the cookie must match a prefix of the request-URI), this might 
 > also give unexpected results with acquisition.
 > Security implications:
 > Doh, anybody who can read/write to a zope server can get it to 
 > read/write from/to any version he likes, and the admin has no way of 
 > anticipating that short of patching zope. Combine that with sites like 
 > squishdot, collector.zope.org and you get chaos.
 > Big plea:
 > Really, this _is_ a security bug, and it should be handled that way and 
 > fixed in 2.6.2 by any meansm, so that all(!) bad properties I listed 
 > above are gone.

1. is difficult to change.

   When we had a post-authentication hook (a hook called by
   ZPublisher after authentication has been done),
   then we could check in this hook that the user has
   the right to enter the version.

   Such a hook would be extremely helpful for other applications,

2. would be easy to fix. I already posted an outline for the check.

3. is already implemented correctly (I think).


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to