Issue #2294: 'requestmethod' protection for DOS-able ControlPanel methods.

e3e54b0c · Tres Seaver · daae8ba3 · e3e54b0c · e3e54b0c
Commit e3e54b0c authored Mar 21, 2007 by Tres Seaver
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

doc/CHANGES.txt doc/CHANGES.txt +8 -0

lib/python/App/ApplicationManager.py lib/python/App/ApplicationManager.py +7 -1

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -88,6 +88,14 @@ Zope Changes
    Bugs Fixed
+      - Collector #2294: Protected DOS-able ControlPanel methods with the
+        same 'requestmethod' wrapper.
+      - Collector #2294: Protected various security mutators with a new
+        'postonly' decorator.  The decorator limits method publishing to
+        POST requests only, and is a backport from Zope 2.11's requestmethod
+        decorator factory.
      - Collector #2289: restored compatiblity with PTProfiler
      - No longer opens a zodb connection every time a ProductDispatcher

--- a/lib/python/App/ApplicationManager.py
+++ b/lib/python/App/ApplicationManager.py
@@ -30,6 +30,7 @@ from Product import ProductFolder
 from version_txt import version_txt
 from cStringIO import StringIO
 from AccessControl import getSecurityManager
+from AccessControl.requestmethod import postonly
 from zExceptions import Redirect
 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
 from cgi import escape
@@ -388,6 +389,7 @@ class ApplicationManager(Folder,CacheManager):
    if os.environ.has_key('ZMANAGED'):
        manage_restartable=1
+        @postonly
        def manage_restart(self, URL1):
            """Shut down the application"""
            try:
@@ -403,7 +405,8 @@ class ApplicationManager(Folder,CacheManager):
            <body>Zope is restarting</body></html>
            """ % escape(URL1, 1)
-    def manage_shutdown(self):
+    @postonly
+    def manage_shutdown(self, REQUEST=None):
        """Shut down the application"""
        try:
            user = '"%s"' % getSecurityManager().getUser().getUserName()
@@ -418,6 +421,7 @@ class ApplicationManager(Folder,CacheManager):
        <body>Zope is shutting down</body></html>
        """
+    @postonly
    def manage_pack(self, days=0, REQUEST=None):
        """Pack the database"""
@@ -472,6 +476,7 @@ class ApplicationManager(Folder,CacheManager):
            r.append({'id': v})
        return r
+    @postonly
    def manage_saveVersions(self, versions, REQUEST=None):
        "Commit some versions"
        db=self._p_jar.db()
@@ -480,6 +485,7 @@ class ApplicationManager(Folder,CacheManager):
        if REQUEST is not None:
            REQUEST['RESPONSE'].redirect(REQUEST['URL1']+'/manage_main')
+    @postonly
    def manage_discardVersions(self, versions, REQUEST=None):
        "Discard some versions"
        db=self._p_jar.db()