[Zope] Security doubt

Oliver Bleutgen myzope@gmx.net
Sat, 07 Jun 2003 00:58:05 +0200

Vladimir Petrovic wrote:
> On Friday 06 June 2003 21:36, Jamie Heilman wrote:
>>>Common wisdom seems to be to filter out .*manage.* requests in
>>>apache (search the mailing lists for that).
>>Sadly if you want 100% coverage filtering on 'manage' alone won't cut
>>it thanks to
>>a) management interfaces that don't use manage anywhere
>>   in the name like ZCacheable_*
>>b) type coercion done through POST requests which seems basically
>>   impossible to filter out using apache
>>Zope will have to be patched or a new product will have to be written
>>to enforce secure management.
> There is also a possibility of filtering authentication field when HTTP 
> request passes through reverse proxy. 
> I think that Apache doesn't suport this, but using rewrite rule it is possible 
> to return unauthorized or forbidden if request contains authentication 
> header. This shouldn't be a problem (if this level of security is really 
> required) since browsers shouldn't send this header anyway if they haven't 
> received unauthorized response and user has entered username/password.

Uhm, but at that moment it's too late, because the username and the 
password have already traveled the wire in clear test, isn't it?