[Zope] BUG FSCounter: Anonymous can clean up counter file
Marcus Schopen
marcus.schopen@uni-bielefeld.de
Wed, 24 Apr 2002 03:25:49 +0200
sorry typo, it's:
http://yourdomain.de/counterobject/write?count=crashme
Marcus Schopen wrote:
>
> Hi,
>
> if using FSCounter it's possible for user Anonymous to clean up the
> counter's file with an easy:
>
> http://yourdomain.de/counterobject/write/count=crashme
>
> Now the counter file on server's filesystem is empty and FSCounter's
> "read" method breaks with "ValueError: invalid literal for int()".
>
> On most websites FSCounter instances are just called "counter" or
> "Counter" and placed in the root folder. So it's a secound to reset the
> counter and in some cases this crash the front site too if the counter
> object is called without a dtml-try tag.
>
> a short fix:
>
> change write method to:
>
> def write(self):
> ''' increment file '''
> count = 1
> value = self.read()
> outfile = open(str(Globals.data_dir) + os.sep +
> str(self.filename), 'wb')
> outfile.write(str(value + count))
> outfile.close()
> return int(value + count)
>
> and increase method to:
>
> def increase(self, REQUEST=None):
> ''' increase '''
> return self.write()
>
> Bye
> Marcus
>
--
,---- [ Marcus Schopen ]
| (0>
| //\ P.O. Box 10 25 25
| V_/_ 33525 Bielefeld
| Germany
`----
__________________________________________________
Petition for a Software Patent Free Europe
http://petition.eurolinux.org