[Zope] taking ownership requires HTTP_REFERER; and more
Dieter Maurer
dieter at handshake.de
Wed Sep 15 15:03:38 EDT 2004
Fred Yankowski wrote at 2004-9-14 17:36 -0500:
> ...
>So I logged in to the ZMI as a non-admin Manager user and tried to
>take ownership of the portal_skins folder (and all content below it).
>That resulted in Insufficient Privileges too. The error_log entry had
>this:
>
> Unauthorized: manage_takeOwnership was called from an invalid context
>
>That method requires the HTTP_REFERER value from the request to do its
>work. (Why? Is that really to be trusted?) I typically access sites
>via a proxy (junkbuster) that removes the HTTP_REFERER header and so I
>was hosed.
A long time ago,
there has been a discussion how to make management operations a bit
safer. One proposal has been to accept management actions only
when they come from the same site. Apparently, someone followed
the proposal in the implementation of "manage_takeOwnership".
I doubt that is was a good idea.
--
Dieter
More information about the Zope
mailing list