Every now and then I run into small problems
with zope. I usually try to fix these with a
patch which (hopefully) will make it into
a next Zope release.
webdav anonymous login fix
As someone pointed out on #zope, it is possible to view folder contents
using a webdav client as an anonymous user.
I.e. download cadaver, open
yourzopeserver:8080 and do ls. Then decide if you want anyone to be
able to access this. Eventhough hiding this information may be security
by obscurity, there are some things you just don't want everyone to see.
This allows you to see, for example, the installed products on the server.
A hacker might use this knowledge to exploit some known bug in a zope product
if one exists.
Most people (like me) probably think it's harmless to let old
objects, documents etc linger around as you can't view them in listings
through ftp or http. They don't realize webdav is running by default. Actually,
it can't even be disabled! (z2.py -X -w80 won't do the trick!)
Personally I'd rather see this secured. It's not possible to disable
view contents information
for anonymous users in zope, as this will ruin
your entire site (all anonymous access will then be disabled), so the solution
would be to create a new permission for access contents through webdav.
And that's what the following (trivial) patch does.
After applying you'll get a new permission in your security tab, which
is set to manager by default. To get the old behaviour back, just set the
permission back to anonymous.
Apply it using patch -p1 ../webdav.patch in your SOFTWARE_HOME (i.e. the
Zope-2.3.2-src dir).
Or just edit lib/python/webdav/Resource.py by hand :)
I've tested it with Zope 2.3.2, I can't guarantee it will work with other
versions (use at your own risk anyway).
You can find the patch here
dtml-in improvement/fix
When using batching in dtml-in, why is previous-sequence
only defined at
the first iteration of the current batch? And why is next-sequence
only
defined at the last iteration of the current batch?
This behaviour makes it difficult to display a batch like this:
-- begin sample --
Item N
Item N+1
Item N+2