The issue of client side trojan recently came to my mind again. Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan I found nothing new since Oct. 2001, so I thought I bring up the issue again, maybe it's something which could be taken care of for zope => 2.6.
I wrote something about that at the wiki, but let me repeat my proposal.
I think zope's management methods (the potentially destructive ones) should not accept REQUESTs with REQUEST_METHOD "GET".
This is in accordance with the http/1.1 rfc (reposted from the wiki):
<snip RFC citation...>
The win would be that disabling javascipt would make a client save from this form of attack, AFAIK, OTOH I can't think of anything which would break ATM.
While I don't necessarily disagree about making GETs idempotent, this still doesn't make you "safe", even with JS turned off. A quick example: images can be used as form submit buttons. If I can get you to visit a page and click on my innocent looking image... you're done :) This is hard, hard, problem. While some good ideas have been proposed, there is not really a quick fix that doesn't have some downside that some group somewhere considers a showstopper :( Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com