[Zope-Checkins] SVN: Zope/branches/2.9/ Issue #2294:
'requestmethod' protection for DOS-able ControlPanel methods.
Tres Seaver
tseaver at palladion.com
Wed Mar 21 10:37:28 EDT 2007
Log message for revision 73422:
Issue #2294: 'requestmethod' protection for DOS-able ControlPanel methods.
Changed:
U Zope/branches/2.9/doc/CHANGES.txt
U Zope/branches/2.9/lib/python/App/ApplicationManager.py
-=-
Modified: Zope/branches/2.9/doc/CHANGES.txt
===================================================================
--- Zope/branches/2.9/doc/CHANGES.txt 2007-03-21 14:27:46 UTC (rev 73421)
+++ Zope/branches/2.9/doc/CHANGES.txt 2007-03-21 14:37:27 UTC (rev 73422)
@@ -8,10 +8,14 @@
Bugs fixed
- - Protected various security mutators with a new postonly decorator.
- The decorator limits method publishing to POST requests only, and
- is a backport from Zope 2.11's requestmethod decorator factory.
+ - Collector #2294: Protected DOS-able ControlPanel methods with the
+ same 'requestmethod' wrapper.
+ - Collector #2294: Protected various security mutators with a new
+ 'postonly' decorator. The decorator limits method publishing to
+ POST requests only, and is a backport from Zope 2.11's requestmethod
+ decorator factory.
+
- Collector #2288: @ and + should not be quoted when forming
request URLs in BaseRequest and HTTPRequest
Modified: Zope/branches/2.9/lib/python/App/ApplicationManager.py
===================================================================
--- Zope/branches/2.9/lib/python/App/ApplicationManager.py 2007-03-21 14:27:46 UTC (rev 73421)
+++ Zope/branches/2.9/lib/python/App/ApplicationManager.py 2007-03-21 14:37:27 UTC (rev 73422)
@@ -31,6 +31,7 @@
from version_txt import version_txt
from cStringIO import StringIO
from AccessControl import getSecurityManager
+from AccessControl.requestmethod import postonly
from zExceptions import Redirect
from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from cgi import escape
@@ -387,6 +388,7 @@
if os.environ.has_key('ZMANAGED'):
manage_restartable=1
+ @postonly
def manage_restart(self, URL1):
"""Shut down the application"""
try:
@@ -402,7 +404,8 @@
<body>Zope is restarting</body></html>
""" % escape(URL1, 1)
- def manage_shutdown(self):
+ @postonly
+ def manage_shutdown(self, REQUEST=None):
"""Shut down the application"""
try:
user = '"%s"' % getSecurityManager().getUser().getUserName()
@@ -417,6 +420,7 @@
<body>Zope is shutting down</body></html>
"""
+ @postonly
def manage_pack(self, days=0, REQUEST=None):
"""Pack the database"""
@@ -471,6 +475,7 @@
r.append({'id': v})
return r
+ @postonly
def manage_saveVersions(self, versions, REQUEST=None):
"Commit some versions"
db=self._p_jar.db()
@@ -479,6 +484,7 @@
if REQUEST is not None:
REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
+ @postonly
def manage_discardVersions(self, versions, REQUEST=None):
"Discard some versions"
db=self._p_jar.db()
More information about the Zope-Checkins
mailing list