[Zope] Zope under SSL and IE

Ross J. Reedstrom reedstrm@wallace.ece.rice.edu
Wed, 19 May 1999 15:00:12 -0500 (CDT) 

Just thought I'd let the group know some of the lessons learned from
may little project. I've set up a file exchange area to replace a bunch
of shared-password FTP accounts (a real security nightmare). To do this,
I got Zope running under Apache/mod-SSL (on top of NT - not my choice, but
it's working.)

I'd posted earlier about some permission problems and comparision issues
with the AUTHENTICATED_USER object in the REQUEST. I got around the access
by using the get method:

REQUEST.get('AUTHENTICATED_USER')

instead of:

REQUEST['AUTHENTICATED_USER']

and for comparison, I use the name method of that object:

<!--#if "addedby == REQUEST.get('AUTHENTICATED_USER').name"-->

So, all my development has been using Netscape under Linux as a
client. So, since it's ready to roll out, I figured I'd better test it a
little ;-) First Netscape under NT works - I did discover that the file
upload sends a different filename: under linux, it's the bare file name,
under NT its the full path. Found a little function called cookID buried
in the source of Image.py. It's not exported from the file (i.e. it's
not a class method or anything), but I was able to almost cut&paste it:

  id=filename[max(string.rfind(filename, '/'),
                        string.rfind(filename, '\\'),
                        string.rfind(filename, ':'),
                        )+1:]          

turn into:

<!--#unless REQUEST['id']-->
   <!--#call "REQUEST.set('filename',REQUEST['file'].filename)"-->
   <!--#call  "REQUEST.set('id',filename[_.max(_.string.rfind(filename, '/'),
                        _.string.rfind(filename, '\\'),
                        _.string.rfind(filename, ':'),
                        )+1:])"-->
<!--#/unless-->


That should work cross platform to strip off the path info, leaving just
the last component.

The next problem was that (surprise, surprise) IE is buggy. IE4.0 won't
handle MIME encapsulated binaries (I suspect it's anything not text/*)
going to or from an SSL server. Just plain breaks, complaining that the
server broke off the connection, but there's nothing in the server error
logs. I suspect IE4 drops the ball, and blames the server. So, I just
installed and tested IE5.0 to see how it does. (2 hour download - and
I'm on a t3!) It's better, although it does get confused about when it
is and is not actually leaving the secure server. At least it does allow
binary files (like Word docs!) to be uploaded and downloaded (in fact,
it displays the Word docs directly in the browser)

So, long story short, Zope rocks, I've closed a gapping security hole on
the server, and I can tell people to use Netscape instead of IE.

Ross

-- 
Ross J. Reedstrom, Ph.D., <reedstrm@rice.edu> 
NSBRI Research Scientist/Programmer
Computer and Information Technology Institute
Rice University, 6100 S. Main St.,  Houston, TX 77005