small summary and big plea was:(Re: [Zope-dev] Versions: should they die?)

Oliver Bleutgen myzope@gmx.net
Fri, 06 Jun 2003 16:07:21 +0200


Aaah, big thanks for chiming in. *sigh of relief*.

Shane Hathaway wrote:
> Casey Duncan wrote:
> 
>> The security implications do not seem dire enough to me to warrent 
>> trying to squeeze this into 2.6.x. If you do not use versions then 
>> none of the implications apply. Perhaps it might be possible to do 
>> additional security checks to make entering versions more protected. 
>> This might be an appropriate change for 2.6.
> 
> 
> My opinion on this is a little different.  It's quite easy for anyone to 
> make mischief on any Zope server that lets people make even minor 
> changes to the site, such as giving feedback, posting a discussion item, 
> etc.   All you have to do is include a Zope-Version cookie in the request
> and your changes will place a lock on any objects that the request 
> touches.  

It's even worse. Just add &Zope-Version=bla to your (or anyone elses) 
request, maybe handy for client side scripting attacks.

> Zope doesn't even check the validity of the Zope-Version 
> cookie.  Anyone who is not a ZODB expert would have a hard time bringing 
> the site back to sanity.

Well, there's still ControlPanel->Version Management, but you have first 
to know that it exists ;). Had that problem when this hit me quite a 
while ago.

> 
> I think 2.6 ought to fix this by disabling recognition of the 
> Zope-Version cookie and disabling the creation of Version objects, with 
> an option to re-enable.

+1

cheers,
oliver