[Zope-dev] [RFClet]: What about the request method and the client side trojan?

[Oliver Bleutgen]

The issue of client side trojan recently came to my mind again.
Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan
I found nothing new since Oct. 2001, so I thought I bring up the issue 
again, maybe it's something which could be taken care of for zope => 2.6.

I wrote something about that at the wiki, but let me repeat my proposal.

I think zope's management methods (the potentially destructive ones) 
should not accept REQUESTs with REQUEST_METHOD "GET".

This is in accordance with the http/1.1 rfc (reposted from the wiki):

    "Implementors should be aware that the software represents the user
    in their interactions over the  Internet, and should be careful  to
    allow the user to be aware of any actions they might take which may
    have  an  unexpected  significance  to  themselves  or  others.  In
    particular,  the convention   has  been  established  that the  GET
    and HEAD methods SHOULD  NOT  have  the significance of  taking  an
    action   other  than   retrieval.  These   methods  ought   to   be
    considered  "safe".  This allows  user agents  to  represent  other
    methods, such as  POST, PUT and  DELETE, in a special way, so  that
    the user is made aware of the fact that a possibly unsafe action is
    being requested."


The win would be that disabling javascipt would make a client save from 
this form of attack, AFAIK, OTOH I can't think of anything which would 
break ATM.

cheers,
oliver