small summary and big plea was:(Re: [Zope-dev] Versions: should
they die?)
Oliver Bleutgen
myzope@gmx.net
Fri, 06 Jun 2003 16:07:21 +0200
Aaah, big thanks for chiming in. *sigh of relief*.
Shane Hathaway wrote:
> Casey Duncan wrote:
>
>> The security implications do not seem dire enough to me to warrent
>> trying to squeeze this into 2.6.x. If you do not use versions then
>> none of the implications apply. Perhaps it might be possible to do
>> additional security checks to make entering versions more protected.
>> This might be an appropriate change for 2.6.
>
>
> My opinion on this is a little different. It's quite easy for anyone to
> make mischief on any Zope server that lets people make even minor
> changes to the site, such as giving feedback, posting a discussion item,
> etc. All you have to do is include a Zope-Version cookie in the request
> and your changes will place a lock on any objects that the request
> touches.
It's even worse. Just add &Zope-Version=bla to your (or anyone elses)
request, maybe handy for client side scripting attacks.
> Zope doesn't even check the validity of the Zope-Version
> cookie. Anyone who is not a ZODB expert would have a hard time bringing
> the site back to sanity.
Well, there's still ControlPanel->Version Management, but you have first
to know that it exists ;). Had that problem when this hit me quite a
while ago.
>
> I think 2.6 ought to fix this by disabling recognition of the
> Zope-Version cookie and disabling the creation of Version objects, with
> an option to re-enable.
+1
cheers,
oliver