[Zope] BUG FSCounter: Anonymous can clean up counter file

Andy McKay andy@agmweb.ca
Wed, 24 Apr 2002 08:05:55 -0700 

Hmm good point. I'll try to get out a new release, thanks.

----- Original Message ----- 
From: "Marcus Schopen" <marcus.schopen@uni-bielefeld.de>
To: "Marcus Schopen" <marcus.schopen@uni-bielefeld.de>
Cc: <zope@zope.org>
Sent: Tuesday, April 23, 2002 6:25 PM
Subject: Re: [Zope] BUG FSCounter: Anonymous can clean up counter file


> sorry typo, it's:
> 
> http://yourdomain.de/counterobject/write?count=crashme
> 
> 
> Marcus Schopen wrote:
> > 
> > Hi,
> > 
> > if using FSCounter it's possible for user Anonymous to clean up the
> > counter's file with an easy:
> > 
> >         http://yourdomain.de/counterobject/write/count=crashme
> > 
> > Now the counter file on server's filesystem is empty and FSCounter's
> > "read" method breaks with "ValueError: invalid literal for int()".
> > 
> > On most websites FSCounter instances are just called "counter" or
> > "Counter" and placed in the root folder. So it's a secound to reset the
> > counter and in some cases this crash the front site too if the counter
> > object is called without a dtml-try tag.
> > 
> > a short fix:
> > 
> > change write method to:
> > 
> >     def write(self):
> >         ''' increment file '''
> >         count = 1
> >         value = self.read()
> >         outfile = open(str(Globals.data_dir) + os.sep +
> > str(self.filename), 'wb')
> >         outfile.write(str(value + count))
> >         outfile.close()
> >         return int(value + count)
> > 
> > and increase method to:
> > 
> >     def increase(self, REQUEST=None):
> >         ''' increase '''
> >         return self.write()
> > 
> > Bye
> > Marcus
> > 
> 
> -- 
> 
> 
>  ,---- [ Marcus Schopen ] 
> |  (0>   
> |  //\   P.O. Box 10 25 25
> |  V_/_  33525 Bielefeld
> |        Germany
>  `----
> 
> __________________________________________________
> 
> Petition for a Software Patent Free Europe 
> http://petition.eurolinux.org
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>