[Zope] Security doubt
Jamie Heilman
jamie@audible.transient.net
Fri, 6 Jun 2003 11:36:48 -0700
Oliver Bleutgen wrote:
> Common wisdom seems to be to filter out .*manage.* requests in
> apache (search the mailing lists for that).
Sadly if you want 100% coverage filtering on 'manage' alone won't cut
it thanks to
a) management interfaces that don't use manage anywhere
in the name like ZCacheable_*
b) type coercion done through POST requests which seems basically
impossible to filter out using apache
Zope will have to be patched or a new product will have to be written
to enforce secure management.
--
Jamie Heilman http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
I liked you better when you weren't saying squat kid." -Buddy