explicitly check if PUT() is called with PUT request method.

product/ERP5/Document/Coordinate.py

@@ -28,6 +28,7 @@
 
 import zope.interface
 from AccessControl import ClassSecurityInfo
+from zExceptions import Forbidden
 
 from Products.ERP5Type import Permissions, PropertySheet, interfaces
 from Products.ERP5Type.Base import Base
@@ -220,9 +221,10 @@ class Coordinate(Base):
       """
           Handle HTTP / WebDAV / FTP PUT requests.
       """
-      if not NoWL:
-        self.dav__init(REQUEST, RESPONSE)
-        self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
+      self.dav__init(REQUEST, RESPONSE)
+      self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
+      if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+        raise Forbidden, 'REQUEST_METHOD should be PUT.'
       body = REQUEST.get('BODY', '')
       try:
         self._writeFromPUT( body )

product/ERP5/Document/File.py

@@ -201,10 +201,6 @@ class File(Document, CMFFile):
     else:
       return str(data)
 
-  security.declareProtected(Permissions.ModifyPortalContent,'PUT')
-  def PUT(self, REQUEST, RESPONSE):
-    CMFFile.PUT(self, REQUEST, RESPONSE)
-
   # DAV Support
   PUT = CMFFile.PUT
   security.declareProtected(Permissions.FTPAccess, 'manage_FTPstat',

product/ERP5Form/Form.py

@@ -45,6 +45,7 @@ from ZODB.POSException import ConflictError
 from zExceptions import Redirect
 from Acquisition import aq_base
 from Products.PageTemplates.Expressions import SecureModuleImporter
+from zExceptions import Forbidden
 
 from Products.ERP5Type.PsycoWrapper import psyco
 from Products.ERP5Type.Base import Base
@@ -772,6 +773,8 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
         """Handle HTTP PUT requests."""
         self.dav__init(REQUEST, RESPONSE)
         self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
+        if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+            raise Forbidden, 'REQUEST_METHOD should be PUT.'
         body=REQUEST.get('BODY', '')
         # Empty the form (XMLToForm is unable to empty things before reopening)
         for k in self.get_field_ids():

product/ERP5Type/WebDAVSupport.py

@@ -26,6 +26,7 @@ from Products.CMFDefault.utils import html_headcheck
 from Products.CMFDefault.utils import bodyfinder
 from Products.CMFDefault.utils import SimpleHTMLParser as CMFSimpleHTMLParser
 from zLOG import LOG
+from zExceptions import Forbidden
 
 security = ModuleSecurityInfo( 'Products.ERP5Type.WebDAVSupport' )
 
@@ -117,6 +118,8 @@ class TextContent:
     """ Handle HTTP (and presumably FTP?) PUT requests """
     self.dav__init(REQUEST, RESPONSE)
     self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
+    if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+      raise Forbidden, 'REQUEST_METHOD should be PUT.'
     body = REQUEST.get('BODY', '')
 
     try:
@@ -208,6 +211,8 @@ def PUT(self, REQUEST, RESPONSE):
           return NullResource_PUT(self, REQUEST, RESPONSE)
 
         self.dav__init(REQUEST, RESPONSE)
+        if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+          raise Forbidden, 'REQUEST_METHOD should be PUT.'
 
         name = self.__name__
         parent = self.__parent__

product/ERP5Type/mixin/component.py

@@ -38,6 +38,7 @@ from Products.ERP5Type import Permissions
 from Products.ERP5Type.Base import Base
 from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
 from Products.ERP5Type.ConsistencyMessage import ConsistencyMessage
+from zExceptions import Forbidden
 
 from zLOG import LOG, INFO
 
@@ -290,6 +291,8 @@ class ComponentMixin(PropertyRecordableMixin, Base):
     """
     self.dav__init(REQUEST, RESPONSE)
     self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
+    if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+      raise Forbidden, 'REQUEST_METHOD should be PUT.'
 
     text_content = REQUEST.get('BODY')
     if text_content is None:

product/ERP5Type/patches/OFSImage.py

@@ -19,6 +19,7 @@
 import OFS.Image
 import struct
 from cStringIO import StringIO
+from zExceptions import Forbidden
 
 def getImageInfo_with_svg_fix(data):
     data = str(data)
@@ -83,3 +84,13 @@ def getImageInfo_with_svg_fix(data):
     return content_type, width, height
 
 OFS.Image.getImageInfo = getImageInfo_with_svg_fix
+
+PUT_orig = OFS.Image.File.PUT
+
+def PUT(self, REQUEST, RESPONSE):
+  """Handle HTTP PUT requests"""
+  if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+    raise Forbidden, 'REQUEST_METHOD should be PUT.'
+  return PUT_orig(self, REQUEST, RESPONSE)
+
+OFS.Image.File.PUT = PUT

product/Localizer/MessageCatalog.py

@@ -46,6 +46,7 @@ from zope.i18n import interpolate
 from zope.i18n.interfaces import ITranslationDomain
 from zope.interface import implements
 from zLOG import LOG, INFO
+from zExceptions import Forbidden
 
 # Import from Localizer
 from interfaces import IMessageCatalog
@@ -737,6 +738,8 @@ class POFile(SimpleItem):
     security.declareProtected('Manage messages', 'PUT')
     def PUT(self, REQUEST, RESPONSE):
         """ """
+        if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
+            raise Forbidden, 'REQUEST_METHOD should be PUT.'
         body = REQUEST['BODY']
         self.po_import(self.id, body)
         RESPONSE.setStatus(204)