Issue #2294: 'requestmethod' protection for DOS-able ControlPanel methods.

doc/CHANGES.txt

@@ -8,9 +8,13 @@ Zope Changes
 
    Bugs fixed
 
-      - Protected various security mutators with a new postonly decorator.
-        The decorator limits method publishing to POST requests only, and
-        is a backport from Zope 2.11's requestmethod decorator factory.
+      - Collector #2294: Protected DOS-able ControlPanel methods with the
+        same 'requestmethod' wrapper.
+
+      - Collector #2294: Protected various security mutators with a new
+        'postonly' decorator.  The decorator limits method publishing to
+        POST requests only, and is a backport from Zope 2.11's requestmethod
+        decorator factory.
 
       - Collector #2288: @ and + should not be quoted when forming
         request URLs in BaseRequest and HTTPRequest

lib/python/App/ApplicationManager.py

@@ -31,6 +31,7 @@ from Product import ProductFolder
 from version_txt import version_txt
 from cStringIO import StringIO
 from AccessControl import getSecurityManager
+from AccessControl.requestmethod import postonly
 from zExceptions import Redirect
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from cgi import escape
@@ -387,6 +388,7 @@ class ApplicationManager(Folder,CacheManager):
 
     if os.environ.has_key('ZMANAGED'):
         manage_restartable=1
+        @postonly
         def manage_restart(self, URL1):
             """Shut down the application"""
             try:
@@ -402,7 +404,8 @@ class ApplicationManager(Folder,CacheManager):
             <body>Zope is restarting</body></html>
             """ % escape(URL1, 1)
 
-    def manage_shutdown(self):
+    @postonly
+    def manage_shutdown(self, REQUEST=None):
         """Shut down the application"""
         try:
             user = '"%s"' % getSecurityManager().getUser().getUserName()
@@ -417,6 +420,7 @@ class ApplicationManager(Folder,CacheManager):
         <body>Zope is shutting down</body></html>
         """
 
+    @postonly
     def manage_pack(self, days=0, REQUEST=None):
         """Pack the database"""
 
@@ -471,6 +475,7 @@ class ApplicationManager(Folder,CacheManager):
             r.append({'id': v})
         return r
 
+    @postonly
     def manage_saveVersions(self, versions, REQUEST=None):
         "Commit some versions"
         db=self._p_jar.db()
@@ -479,6 +484,7 @@ class ApplicationManager(Folder,CacheManager):
         if REQUEST is not None:
             REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
 
+    @postonly
     def manage_discardVersions(self, versions, REQUEST=None):
         "Discard some versions"
         db=self._p_jar.db()