Context Navigation

← Previous Ticket
Next Ticket →

Ticket #4886 (closed Bug: fixed)

Opened 6 years ago

Last modified 3 years ago

non-conformance with RFC 2616, HTTP/1.1 for object_cut, object_delete

Reported by:	vinsci	Owned by:	alecm
Priority:	major	Milestone:	3.0rc1
Component:	Infrastructure	Keywords:
Cc:	mj

Description (last modified by alecm) (diff)

Currently (sine 2.1), the object_delete script provide item deletion with access through a HTTP GET request. RFC 2616 (Hypertext Transfer Protocol -- HTTP/1.1) however, in section 9.1.1 Safe Methods, states: "... In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. ...".

While deletion of an item through the actions menu is guarded with a javascript alert, a user can be tricked into clicking on a malicious link elsewhere that will carry out the deletion without confirmation. The action is still carried out through a HTTP GET request rather than a HTTP POST.

(From HTML, there's no way to ask for a HTTP DELETE request to be sent)

Change History

comment:1 Changed 6 years ago by alecm

Owner changed from to vinsci
Description modified (diff)

Seems reasonable, make a patch and a functional test it will be gladly accepted.

comment:2 Changed 6 years ago by hannosch

Component changed from Visual and templates to Content Types

comment:3 Changed 6 years ago by alecm

Milestone changed from 2.5 to 2.5.x

comment:4 Changed 6 years ago by limi

Priority changed from minor to major
Milestone changed from 2.5.x to 2.5.1

This is actually quite important to get fixed, deletion should never be possible via GET requests. Anybody want to step up for this?

comment:5 Changed 6 years ago by vinsci

Some initial legwork for fixing this:

Original changeset where this was introduced: http://dev.plone.org/plone/changeset/6524

Changes to object_delete.cpy & .metadata, since introduction:

http://dev.plone.org/plone/log/CMFPlone/trunk/skins/plone_scripts/object_delete.cpy?action=follow_copy&rev=9836&stop_rev=&mode=follow_copy&verbose=on

http://dev.plone.org/plone/log/CMFPlone/trunk/skins/plone_scripts/object_copy.cpy.metadata?action=follow_copy&rev=9836&stop_rev=&mode=follow_copy&verbose=on

Changes to object_cut.cpy & .metadata, since introduction:

http://dev.plone.org/plone/log/CMFPlone/trunk/skins/plone_scripts/object_cut.cpy?action=stop_on_copy&rev=9836&stop_rev=&mode=follow_copy&verbose=on

http://dev.plone.org/plone/log/CMFPlone/trunk/skins/plone_scripts/object_cut.cpy.metadata?action=follow_copy&rev=9836&stop_rev=&mode=follow_copy&verbose=on

comment:6 Changed 5 years ago by alecm

Cut/copy actions take no actions which affect the ZODB, I think it is the paste action that we really have to worry about here. In particular we can add a confirmation form for paste, similar to the one I am about to do for delete.

comment:7 Changed 5 years ago by hannosch

Milestone changed from 2.5.1 to 2.5.x

comment:8 Changed 5 years ago by alecm

Owner changed from vinsci to alecm

Making note to add paste confirm form.

comment:9 Changed 5 years ago by alecm

Milestone changed from 2.5.x to 3.0

comment:10 Changed 5 years ago by wichert

Cc mj added

Has this been fixed as part of the recent postonly work?

comment:11 Changed 5 years ago by wichert

Status changed from new to closed
Resolution set to fixed

Assuming it has, so closing the ticket.

comment:12 Changed 5 years ago by mj

This is still on my TODO pile to look at; will reopen if the postonly fixes don't cover this.

comment:13 Changed 3 years ago by hannosch

Component changed from Content Types to Infrastructure

Note: See TracTickets for help on using tickets.

Download in other formats: