Vladimir Petrovic wrote:
On Friday 06 June 2003 21:36, Jamie Heilman wrote:
Common wisdom seems to be to filter out .*manage.* requests in apache (search the mailing lists for that).
Sadly if you want 100% coverage filtering on 'manage' alone won't cut it thanks to a) management interfaces that don't use manage anywhere in the name like ZCacheable_* b) type coercion done through POST requests which seems basically impossible to filter out using apache
Zope will have to be patched or a new product will have to be written to enforce secure management.
There is also a possibility of filtering authentication field when HTTP request passes through reverse proxy.
I think that Apache doesn't suport this, but using rewrite rule it is possible to return unauthorized or forbidden if request contains authentication header. This shouldn't be a problem (if this level of security is really required) since browsers shouldn't send this header anyway if they haven't received unauthorized response and user has entered username/password.
Uhm, but at that moment it's too late, because the username and the password have already traveled the wire in clear test, isn't it? cheers, oliver