[Zope] Security doubt
Vladimir Petrovic
vladap@criticalpublics.com
Sat, 7 Jun 2003 01:27:53 +0300
On Friday 06 June 2003 21:36, Jamie Heilman wrote:
> > Common wisdom seems to be to filter out .*manage.* requests in
> > apache (search the mailing lists for that).
>
> Sadly if you want 100% coverage filtering on 'manage' alone won't cut
> it thanks to
> a) management interfaces that don't use manage anywhere
> in the name like ZCacheable_*
> b) type coercion done through POST requests which seems basically
> impossible to filter out using apache
>
> Zope will have to be patched or a new product will have to be written
> to enforce secure management.
There is also a possibility of filtering authentication field when HTTP
request passes through reverse proxy.
I think that Apache doesn't suport this, but using rewrite rule it is possible
to return unauthorized or forbidden if request contains authentication
header. This shouldn't be a problem (if this level of security is really
required) since browsers shouldn't send this header anyway if they haven't
received unauthorized response and user has entered username/password.
Vladimir