[Zope-Checkins] CVS: Zope/lib/python/webdav - LockItem.py:1.4.2.2
Andreas Jung
andreas@digicool.com
Wed, 9 Jan 2002 13:33:09 -0500
Update of /cvs-repository/Zope/lib/python/webdav
In directory cvs.zope.org:/tmp/cvs-serv21326/python/webdav
Modified Files:
Tag: Zope-2_5-branch
LockItem.py
Log Message:
Added additional protection for webdav clients sending
a 'lockdiscovery' request without proper authorization. This fix checks
the authenticated user against the lock owner. If they don't match,
Zope will send a faked token back. This protection is mainly necessary
to procted Zope against the 'steal' command of cadaver.
=== Zope/lib/python/webdav/LockItem.py 1.4.2.1 => 1.4.2.2 ===
return self._lockscope
- def asLockDiscoveryProperty(self, ns='d'):
+ def asLockDiscoveryProperty(self, ns='d',fake=0):
+
+ if fake: token = 'this-is-a-faked-no-permission-token'
+ else: token = self._token
s = (' <%(ns)s:activelock>\n'
' <%(ns)s:locktype><%(ns)s:%(locktype)s/></%(ns)s:locktype>\n'
' <%(ns)s:lockscope><%(ns)s:%(lockscope)s/></%(ns)s:lockscope>\n'
@@ -160,11 +163,17 @@
'depth': self._depth,
'owner': self._owner,
'timeout': self.getTimeoutString(),
- 'locktoken': self._token,
+ 'locktoken': token,
}
return s
def asXML(self):
+ import traceback
+ try:
+ a=1/0
+ except:
+ traceback.print_exc()
+
s = """<?xml version="1.0" encoding="utf-8" ?>
<d:prop xmlns:d="DAV:">
<d:lockdiscovery>