Submitted by : Bill Page at: 2005-03-10T21:22:58+00:00 (12 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

Some very aggressive search engines (spiders) seem to be following form action="xxxx" references in pages as well as the usual href links. As a result probes by such greedy theives can cause unexpected changes to wiki web pages. One such example recently has been the triggering of the 'Change' button on the Issue pages.

The script 'changeIssueProperties' should be more careful not to record any change if the 'Change' action is triggered with no actually changes.

patch for ZWiki/plugins/Tracker.py --Bill Page, Thu, 10 Mar 2005 23:09:25 -0600 reply

<pre> diff -au test/Products/ZWiki/plugins/Tracker.py main/Products/ZWiki/plugins/Tracker.py --- test/Products/ZWiki/plugins/Tracker.py 2004-11-17 14:57:59.000000000 -0600 +++ main/Products/ZWiki/plugins/Tracker.py 2005-03-10 22:55:09.000000000 -0600 @@ -296,10 +296,11 @@

if status != self.status:
comment += "Status: %s => %s n" % (self.status,status) self.manage_changeProperties(status=status)
if REQUEST: REQUEST.RESPONSE.redirect(self.page_url())

def category_index(self):

</pre>

(new) --Simon Michael, Fri, 11 Mar 2005 20:11:14 -0800 reply

Ooh, that's very bad news if the trend continues.

Thanks Bill. Would it be possible to send this with darcs send ? I can't actually figure out patch/diff these days.

thanks, checked in --simon, Fri, 11 Mar 2005 20:46:20 -0800 reply

Status: open => closed

(new) --Bill Page, Fri, 11 Mar 2005 20:47:56 -0800 reply

Simon,

No problem.

I just sent the patch from my darcs repository on axiom-developer.org

Yes I also thought it was very bad news. I can imagine that there might be a lot of other similar sensitive links on Zwiki. So I blacklisted the url (hosts.deny) from access to axiom-developer.org (usually I don't like doing this).

I was wondering if it might not also be a good idea to disable servicing of GET style calls since I think Zwiki would (almost?) always generate POST style calls, while a spider should only ever generate GETs?. What do you think?

Regards, Bill Page.

(new) --Simon Michael, Fri, 11 Mar 2005 23:24:50 -0800 reply

I'm not seeing how we could disable GET and still work.

(new) --Bill Page, Sat, 12 Mar 2005 21:36:04 -0800 reply

> > I'm not seeing how we could disable GET and still work. >

Usually these days the action urls of forms are called by method=POST but there is a legacy HTML action method called GET, which is the same as that used to retrieve the content of HTML pages.

The GET method passes form data as part of the URL via the syntax:

http://url?field1=value&field2=value

The POST method on the other hand sends form data via a stream.

In the case of the rabid spider that was probing MathAction the calls to changeIssueProperties was via the method=GET with no form data being passed, as you might expect if the spider was treating action urls like links.

In principle it is possible for a Python script to tell that it is being called by POST or GET. My proposal was that some of the potentially sensitive scripts in Zwiki should ignore requests of type GET. This should help to avoid such spider attackes but should not affect the actually operation of Zwiki.

(new) --Simon Michael, Mon, 14 Mar 2005 11:08:04 -0800 reply

Oh I get you, from forms. Something to keep in mind. I like the use of GET in the search form and tracker, eg, because you can bookmark searches.

use of GET in the search form, etc. --Bill Page, Mon, 14 Mar 2005 12:00:23 -0800 reply

Yes, I agree. This would fall into the category of scripts that are not "sensitive", i.e. they don't do anything lasting to any wiki pages.