[Zope-dev] [RFClet]: What about the request method and the client side trojan?
Brian Lloyd
brian@zope.com
Tue, 9 Apr 2002 13:17:40 -0400
> The issue of client side trojan recently came to my mind again.
> Looking at http://www.zope.org//Members/jim/ZopeSecurity/ClientSideTrojan
> I found nothing new since Oct. 2001, so I thought I bring up the issue
> again, maybe it's something which could be taken care of for zope => 2.6.
>
> I wrote something about that at the wiki, but let me repeat my proposal.
>
> I think zope's management methods (the potentially destructive ones)
> should not accept REQUESTs with REQUEST_METHOD "GET".
>
> This is in accordance with the http/1.1 rfc (reposted from the wiki):
>
> <snip RFC citation...>
>
> The win would be that disabling javascipt would make a client save from
> this form of attack, AFAIK, OTOH I can't think of anything which would
> break ATM.
While I don't necessarily disagree about making GETs idempotent,
this still doesn't make you "safe", even with JS turned off.
A quick example: images can be used as form submit buttons. If
I can get you to visit a page and click on my innocent looking
image... you're done :)
This is hard, hard, problem. While some good ideas have been
proposed, there is not really a quick fix that doesn't have
some downside that some group somewhere considers a
showstopper :(
Brian Lloyd brian@zope.com
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com