[Zope-CMF] CMFDefault register method & security

Shane Hathaway shane@digicool.com
Tue, 17 Jul 2001 12:31:25 -0400


Andrew Sawyers wrote:
> Jens and I both think it's a bug; I couldn't come up with an easy solution;
> all attempts at passing this through failed.  If you've got a solution, send
> it on over.  Otherwise this is going to wait until one of us can devote more
> time to it.  We've both got other things on our plate at the moment.

Use a form with hidden fields.  Something like this (not looking at the
code):

<form action="logged_in" method="POST">
  <input type="hidden" name="__ac_name" value="&dtml-name;" />
  <input type="hidden" name="__ac_password" value="&dtml-password;" />
  <input type="submit" value="Log in now" />
</form>

The disadvantage of passing a password in a URL is that it might show up
in an HTTP log, which doesn't matter unless you're using HTTPS.  The
hidden fields solution closes that hole.

Shane

> > -----Original Message-----
> > From: zope-cmf-admin@zope.org [mailto:zope-cmf-admin@zope.org]On Behalf
> > Of Chris Withers
> > Sent: Tuesday, July 17, 2001 4:00 AM
> > To: jens@digicool.com
> > Cc: zope-cmf@zope.org
> > Subject: [Zope-CMF] CMFDefault register method & security
> >
> >
> > Jens,
> >
> > Did anyone have any thoughts about this bit of the bug?
> >
> > > > Also, should the registered method really contain a url which
> > has both the
> > > > username and password of a newly generated member in it?
> > Seems like a bit of a
> > > > security hole to me :-S
> >
> > cheers,
> >
> > Chris