[Zope] BUG FSCounter: Anonymous can clean up counter file
Marcus Schopen
marcus.schopen@uni-bielefeld.de
Wed, 24 Apr 2002 03:03:38 +0200
Hi,
if using FSCounter it's possible for user Anonymous to clean up the
counter's file with an easy:
http://yourdomain.de/counterobject/write/count=crashme
Now the counter file on server's filesystem is empty and FSCounter's
"read" method breaks with "ValueError: invalid literal for int()".
On most websites FSCounter instances are just called "counter" or
"Counter" and placed in the root folder. So it's a secound to reset the
counter and in some cases this crash the front site too if the counter
object is called without a dtml-try tag.
a short fix:
change write method to:
def write(self):
''' increment file '''
count = 1
value = self.read()
outfile = open(str(Globals.data_dir) + os.sep +
str(self.filename), 'wb')
outfile.write(str(value + count))
outfile.close()
return int(value + count)
and increase method to:
def increase(self, REQUEST=None):
''' increase '''
return self.write()
Bye
Marcus
--
,---- [ Marcus Schopen ]
| (0>
| //\ P.O. Box 10 25 25
| V_/_ 33525 Bielefeld
| Germany
`----
__________________________________________________
Petition for a Software Patent Free Europe
http://petition.eurolinux.org