Archive of UserLand's first discussion group, started October 5, 1998.
zope security alert
Author: Jamie Scheinblum Posted: 5/9/2000; 8:16:16 PM Topic: zope security alert Msg #: 17139 Prev/Next: 17138 / 17140
It seems that this problem has been solved, in two ways...1) if the server only performs content changes with a POST request, it becomes significantly more difficult to force damaging changes in the url query string
2) unique session identifiers in the url would keep outsiders from sending the links to make damaging changes. This would require the hostle link to know the current seesion id, which is unlikely.
At least a combonation of the two would make it more difficult to pull of that trick, and be easier/eloquent to implement than refer checks.
-js
There are responses to this message:
- Re: zope security alert, Brent Simmons, 5/9/2000; 8:54:19 PM
This page was archived on 6/13/2001; 4:55:08 PM.
© Copyright 1998-2001 UserLand Software, Inc.