Ticket #5704 (closed Bug: fixed)

Opened 6 years ago

Last modified 3 years ago

DOS a Plone site using folder default display

Reported by: neaj Owned by: optilude
Priority: major Milestone: 2.1.4
Component: Templates/CSS Keywords: security
Cc:

Description

A client of mine just found a super-simple way to kill a Plone site:

  • create a folder called 'somename',
  • create a document in this folder called 'somename',
  • select 'somename' as default view of the folder,
  • delete the 'somename' document.

Now, if you view .../somename, Zope will spin and eventually take up all CPU. The folder tries to render the default view, which happens to be the same folder which tries to render the default view, which ...

The fix is probably to restrict the default view to parent[view], i.e. no acquisition.

Change History

comment:1 Changed 6 years ago by alecm

  • Milestone changed from 2.5.x to 2.5.1

comment:2 Changed 6 years ago by alecm

  • Milestone changed from 2.5.1 to 2.1.x

This is worth fixing in 2.1 as well (especially as there seem to be some complaints on the lists).

comment:3 Changed 6 years ago by alecm

  • Status changed from new to closed
  • Resolution set to fixed

(In [10369]) Made PloneTool.browserDefault check if the default page it is trying to render is the folder itself, and prevent it from doing so (which would cause an endless loop). Fixes #5704

comment:4 Changed 5 years ago by hannosch

  • Milestone changed from 2.1.x to 2.1.4

comment:5 Changed 3 years ago by hannosch

  • Component changed from Usability to Templates/CSS
Note: See TracTickets for help on using tickets.