Issue #2294: 'requestmethod' protection for DOS-able ControlPanel methods.

a63210ca · Tres Seaver · 032ee39c · a63210ca · a63210ca
Commit a63210ca authored Mar 21, 2007 by Tres Seaver
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 4 deletions

doc/CHANGES.txt doc/CHANGES.txt +7 -3

lib/python/App/ApplicationManager.py lib/python/App/ApplicationManager.py +7 -1

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -8,9 +8,13 @@ Zope Changes
   Bugs fixed
-      - Protected various security mutators with a new postonly decorator.
+      - Collector #2294: Protected DOS-able ControlPanel methods with the
-        The decorator limits method publishing to POST requests only, and
+        same 'requestmethod' wrapper.
-        is a backport from Zope 2.11's requestmethod decorator factory.
+      - Collector #2294: Protected various security mutators with a new
+        'postonly' decorator.  The decorator limits method publishing to
+        POST requests only, and is a backport from Zope 2.11's requestmethod
+        decorator factory.
      - Collector #2288: @ and + should not be quoted when forming
        request URLs in BaseRequest and HTTPRequest

--- a/lib/python/App/ApplicationManager.py
+++ b/lib/python/App/ApplicationManager.py
@@ -31,6 +31,7 @@ from Product import ProductFolder
 from version_txt import version_txt
 from cStringIO import StringIO
 from AccessControl import getSecurityManager
+from AccessControl.requestmethod import postonly
 from zExceptions import Redirect
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from cgi import escape
@@ -387,6 +388,7 @@ class ApplicationManager(Folder,CacheManager):
    if os.environ.has_key('ZMANAGED'):
        manage_restartable=1
+        @postonly
        def manage_restart(self, URL1):
            """Shut down the application"""
            try:
@@ -402,7 +404,8 @@ class ApplicationManager(Folder,CacheManager):
            <body>Zope is restarting</body></html>
            """ % escape(URL1, 1)
-    def manage_shutdown(self):
+    @postonly
+    def manage_shutdown(self, REQUEST=None):
        """Shut down the application"""
        try:
            user = '"%s"' % getSecurityManager().getUser().getUserName()
@@ -417,6 +420,7 @@ class ApplicationManager(Folder,CacheManager):
        <body>Zope is shutting down</body></html>
        """
+    @postonly
    def manage_pack(self, days=0, REQUEST=None):
        """Pack the database"""
@@ -471,6 +475,7 @@ class ApplicationManager(Folder,CacheManager):
            r.append({'id': v})
        return r
+    @postonly
    def manage_saveVersions(self, versions, REQUEST=None):
        "Commit some versions"
        db=self._p_jar.db()
@@ -479,6 +484,7 @@ class ApplicationManager(Folder,CacheManager):
        if REQUEST is not None:
            REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
+    @postonly
    def manage_discardVersions(self, versions, REQUEST=None):
        "Discard some versions"
        db=self._p_jar.db()