[Zope] Security doubt

Vladimir Petrovic vladap@criticalpublics.com
Sat, 7 Jun 2003 01:27:53 +0300


On Friday 06 June 2003 21:36, Jamie Heilman wrote:

> > Common wisdom seems to be to filter out .*manage.* requests in
> > apache (search the mailing lists for that).
>
> Sadly if you want 100% coverage filtering on 'manage' alone won't cut
> it thanks to
> a) management interfaces that don't use manage anywhere
>    in the name like ZCacheable_*
> b) type coercion done through POST requests which seems basically
>    impossible to filter out using apache
>
> Zope will have to be patched or a new product will have to be written
> to enforce secure management.

There is also a possibility of filtering authentication field when HTTP 
request passes through reverse proxy. 

I think that Apache doesn't suport this, but using rewrite rule it is possible 
to return unauthorized or forbidden if request contains authentication 
header. This shouldn't be a problem (if this level of security is really 
required) since browsers shouldn't send this header anyway if they haven't 
received unauthorized response and user has entered username/password.

Vladimir