[Zope-dev] version status

Mon, 16 Jun 2003 17:13:20 +0200

Shane Hathaway wrote:
> Jamie Heilman wrote:
> 
>> Whats the status of versions for 2.6.2 and 2.7?  Have there been any
>> decisions reached?  I saw Jim's code get checked in but it won't
>> stop the DoS I posted.
> 
> 
> Say it a little louder.  Here is what I think you're saying:
> 
> - Anonymous users can still open a versioned database connection 
> (although now they can't use it)
> 
> - Merely opening a versioned connection consumes resources
> 
> - Zope does not free those resources as it should
> 
> Can you confirm that's what you're seeing?  Either we need to make Zope 
> free the resources, or if that's not possible, we need a different 
> strategy.

If I may also add something else, it might be a good idea to limit the 
namespace where zope looks for a variable named "Zope-Version".

Both ZApplication.py and the patch look for this variable in the whole 
REQUEST, (i.e. via request.get(...)). I'd propose to change that to 
REQUEST.cookies.get(...). As it is, it violates the principle of least 
surprise and is also a tad inconsistent, because the patch even assumes 
that the "Zope-Version" variable came via a cookie (it tries to delete 
said cookie).

This is not purely aesthetical reasoning, since cookies can be trusted a 
bit more than other variables coming from the request. You can't inject 
them from third party sites, for instance.

Limiting the lookup only to REQUEST.cookies would also make client side 
trojan attacks a bit harder (not that you can't do much worse things 
with these kinds of attacks).

cheers,
oliver