Ticket #1062 (closed task: fixed)

Opened 13 years ago

Last modified 13 years ago

Check for insecure methods

Reported by: jukka Owned by: tarmo
Priority: major Milestone: 1.6 Luuli
Component: generic Version:
Keywords: Cc:
Time planned: Time remaining: 0h
Time spent: 4.0h

Description

When objects have methods like this:

def thispublicmethod(self):
    """ explanation string """ 

they can be executed by anyone by going to object's address and adding method's name to url.

Most of the time they're harmless and won't change anything (as they don't have arguments), but some are bad in principle, like getEmail.

Go through our defined object types and see if there are any dangerous methods open and add security.declareProtected(yadayada) safeguards before them (look in Resources.retract to learn how). Especially think if there are any fields that are autogenerated by archetypes that shouldn't be accessible.

Change History

comment:1 Changed 13 years ago by tarmo

  • Owner changed from anonymous to tarmo
  • Status changed from new to assigned

comment:2 Changed 13 years ago by tarmo

Summary of security settings:

  • the docstring makes a method callable directly with an external http call (ie users can type the method URL directly in their browsers, provide parameters, and call it)
  • docstrings don't affect calls from ZPT
  • security declarations for methods affect both external calls and ZPT calls (ie private methods are not callable, protected methods need proper authentication, and public methods are callable)
  • all methods are by default public, if a security declaration is not provided (with the exception of methods with an underscore in the beginning, which are always private)

Summary:

  • Methods without docstrings are only callable from ZPT
  • Methods without security declarations are public

Conclusions:

  • All methods, regardless of having a docstring or not, must have a security declaration if they do something that anonymous google bots should not be able to do (because we might call methods without docstring from our ZPT, which aren't protected by themselves)

comment:3 Changed 13 years ago by tarmo

  • Status changed from assigned to closed
  • Time spent set to 4.0h
  • Resolution set to fixed
  • Time remaining set to 0h

(In [1264]) Methods checked and secured. Added some FIXMEs that someone should fix... Closes #1062, spent 4h.

Note: See TracTickets for help on using tickets.