Shane Hathaway wrote:
Casey Duncan wrote:
The security implications do not seem dire enough to me to warrent trying to squeeze this into 2.6.x. If you do not use versions then none of the implications apply. Perhaps it might be possible to do additional security checks to make entering versions more protected. This might be an appropriate change for 2.6.
My opinion on this is a little different. It's quite easy for anyone to make mischief on any Zope server that lets people make even minor changes to the site, such as giving feedback, posting a discussion item, etc. All you have to do is include a Zope-Version cookie in the request
and your changes will place a lock on any objects that the request touches.
It's even worse. Just add &Zope-Version=bla to your (or anyone elses) request, maybe handy for client side scripting attacks.
Zope doesn't even check the validity of the Zope-Version cookie. Anyone who is not a ZODB expert would have a hard time bringing the site back to sanity.
Well, there's still ControlPanel->Version Management, but you have first to know that it exists ;). Had that problem when this hit me quite a while ago.
I think 2.6 ought to fix this by disabling recognition of the Zope-Version cookie and disabling the creation of Version objects, with an option to re-enable.
+1
cheers, oliver
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
