small summary and big plea was:(Re: [Zope-dev] Versions: should they
die?)
Dieter Maurer
dieter@handshake.de
Fri, 6 Jun 2003 20:35:38 +0200
Oliver Bleutgen wrote at 2003-6-6 11:46 +0200:
> ...
> Bad properties of this implementation:
>
> 1. The "Join/Leave Versions" permission doesn't secure entering versions
> 2. Zope doesn't care if a correspondending Version instance to the value
> of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for
> the value of that Zope-Version variable at all.
> 3. And (minor problem, but whatever), since zope relies completely on
> the browser to send cookies only the right time (i.e. that the path set
> for the cookie must match a prefix of the request-URI), this might
> also give unexpected results with acquisition.
>
>
> Security implications:
>
> Doh, anybody who can read/write to a zope server can get it to
> read/write from/to any version he likes, and the admin has no way of
> anticipating that short of patching zope. Combine that with sites like
> squishdot, collector.zope.org and you get chaos.
>
> Big plea:
>
> Really, this _is_ a security bug, and it should be handled that way and
> fixed in 2.6.2 by any meansm, so that all(!) bad properties I listed
> above are gone.
1. is difficult to change.
When we had a post-authentication hook (a hook called by
ZPublisher after authentication has been done),
then we could check in this hook that the user has
the right to enter the version.
Such a hook would be extremely helpful for other applications,
too.
2. would be easy to fix. I already posted an outline for the check.
3. is already implemented correctly (I think).
Dieter