[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Florent Guillaume fg at nuxeo.com
Tue Feb 14 11:01:53 EST 2006 

Michael Vartanyan wrote:
> In the very beginning of my Zope career, I once "shot myself in the 
> foot" with a very stupid thing... I kept it to myself then but if we are 
> talking about Zope security settings and usability of the ZMI at the 
> same time, perhaps it is an ideal place to raise this issue.
> 
> If you use the famous manage_access page with all the checkboxes to set 
> permissions on an object, it then calls manage_changePermissions to 
> using POST method to apply your settings. The result is that 
> http://your_object_url/manage_changePermissions (without any parameters) 
> stays in your browser visited url history. Now imagine what happens if 
> you click this url by mistake being logged as someone with "Change 
> permissions" permission.
> 
> I guess changing the form method to GET is not going to be liked by 
> browsers that put additional restrictions on URL length. So I would 
> propose to introduce a basic request sanity check in the 
> manage_changePermissions itself. I cannot think of any use for resetting 
> all permissions and acquisition for everyone, so the easiest way to do 
> that is to simply check that at least something exists in the form:
> 
> ...
>    def manage_changePermissions(self, REQUEST):
>        """Change all permissions settings, called by management screen.
>        """
>  >>    if  len(REQUEST.form)<2: raise ...
>        self._isBeingUsedAsAMethod(REQUEST, 0)
>        valid_roles=self.valid_roles()
>        indexes=range(len(valid_roles))
>        have=REQUEST.has_key
>        permissions=self.ac_inherited_permissions(1)
>        fails = []
> ...
> 
> or something like that.

Actually the proper way to do it, and for exactly the reasons you outlined 
above, is to always do a redirect to a "result page" url after a POST that 
has side effects. It's even mandated by the HTTP/HTML specs.

Florent


-- 
Florent Guillaume, Nuxeo (Paris, France)   Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com

More information about the Zope mailing list