[Zope-dev] [RFClet]: What about the request method and the client side trojan?

Oliver Bleutgen myzope@gmx.net
Fri, 12 Apr 2002 20:52:43 +0200


Jeffrey P Shell wrote:

> I have to now admit to not having seen the proposal, I've just been
> following along here and struggling to capture the meaning of "idempotent"
> as it applies to Zope security, but I *think* I'm starting to grok it.
> Since a search for idempotent on zope.org yields no results, I'm assuming
> that your proposal isn't up there (or the catalog is up to its old charms ;)

Jeffrey,
idempotence is mentioned about in the http/1.1 rfc, which says

"  Methods may also have the property of "idempotence" in that (aside
    from error or expiration issues) the side-effects of  N > 0
    identical requests is the same as for a single request. The methods
    GET, HEAD, PUT and DELETE share this property."

There's another quote from the rfc in my posting which started this thread.

The question is, to put it bluntly, if e.g. something
<img src="http://yourserver/manage_delObjects?ids:list=an_object">
anywhere on any page you might visit should be able to do what it does 
now, if you happen to be authorized at yourserver with enough priviledges.

The fix would be to not accept GET requests for certain methods.

cheers,
oliver