[Zope-dev] Zope Tests: 5 OK
Summary of messages to the zope-tests list. Period Tue Jul 10 12:00:00 2007 UTC to Wed Jul 11 12:00:00 2007 UTC. There were 5 messages: 5 from Zope Unit Tests. Tests passed OK --- Subject: OK : Zope-2.7 Python-2.3.6 : Linux From: Zope Unit Tests Date: Tue Jul 10 20:53:20 EDT 2007 URL: http://mail.zope.org/pipermail/zope-tests/2007-July/008012.html Subject: OK : Zope-2.8 Python-2.3.6 : Linux From: Zope Unit Tests Date: Tue Jul 10 20:54:51 EDT 2007 URL: http://mail.zope.org/pipermail/zope-tests/2007-July/008013.html Subject: OK : Zope-2.9 Python-2.4.4 : Linux From: Zope Unit Tests Date: Tue Jul 10 20:56:23 EDT 2007 URL: http://mail.zope.org/pipermail/zope-tests/2007-July/008014.html Subject: OK : Zope-2.10 Python-2.4.4 : Linux From: Zope Unit Tests Date: Tue Jul 10 20:57:54 EDT 2007 URL: http://mail.zope.org/pipermail/zope-tests/2007-July/008015.html Subject: OK : Zope-trunk Python-2.4.4 : Linux From: Zope Unit Tests Date: Tue Jul 10 20:59:28 EDT 2007 URL: http://mail.zope.org/pipermail/zope-tests/2007-July/008016.html ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] vulnerability in zope 2.10.4
hi, imho i've found a vulnerability in zope 2.10.4 or rather in the newer version of five (1.5.5) used by it. in `Five/browser/ pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the instantiate the page template engine used by five templates, or at least this is what i think it does. the problem with this is that `trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`) gets used to traverse path-expressions using `unrestrictedTraverse` (line 100), which means that i can access say the title of an otherwise private object with a simple obj/Title. i ran into this when one of my doctests[1] failed after upgrading from zope 2.10.3 to 2.10.4, because it could now access the title, even though permissions are explicitly set up beforehand to prevent this. using `createZopeEngine` instead of `createTrustedZopeEngine` didn't help with the test, unfortunately, since this would then raise an `Unauthorized` right away when rendering the `folder_contents` view. however, if i defer resetting the roles of the test user to just before the click on 'Delete' (line 35 in the test), the test works again... i've also just verified this ttw by creating a simple five view and a file object. i can successfully access the title attribute using the view, even though view and access contents information permissions are set up so only the manager role can access the object. dropping in zope 2.10.3 things work as expected, that is an `Unauthorized` exception is raised. so, unless i'm completely wrong here, i'd say this is a pretty serious security whole, no? cheers, andi [1] http://dev.plone.org/plone/browser/plone.app.linkintegrity/trunk/ plone/app/linkintegrity/docs/testReferalToPrivateFiles.txt?rev=16003 -- zeidler it consulting - http://zitc.de/ - [EMAIL PROTECTED] friedelstraße 31 - 12047 berlin - telefon +49 30 25563779 pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/ sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007 PGP.sig Description: This is a digitally signed message part ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: vulnerability in zope 2.10.4
On Jul 12, 2007, at 12:48 AM, Andreas Zeidler wrote: so, unless i'm completely wrong here, i'd say this is a pretty serious security whole, no? that should have been a hole, actually... too late already, sorry! :) andi -- zeidler it consulting - http://zitc.de/ - [EMAIL PROTECTED] friedelstraße 31 - 12047 berlin - telefon +49 30 25563779 pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/ sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007 PGP.sig Description: This is a digitally signed message part ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: vulnerability in zope 2.10.4
Andreas Zeidler wrote: hi, imho i've found a vulnerability in zope 2.10.4 or rather in the newer version of five (1.5.5) used by it. in `Five/browser/ pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the instantiate the page template engine used by five templates, or at least this is what i think it does. the problem with this is that `trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`) gets used to traverse path-expressions using `unrestrictedTraverse` (line 100), which means that i can access say the title of an otherwise private object with a simple obj/Title. i ran into this when one of my doctests[1] failed after upgrading from zope 2.10.3 to 2.10.4, because it could now access the title, even though permissions are explicitly set up beforehand to prevent this. using `createZopeEngine` instead of `createTrustedZopeEngine` didn't help with the test, unfortunately, since this would then raise an `Unauthorized` right away when rendering the `folder_contents` view. however, if i defer resetting the roles of the test user to just before the click on 'Delete' (line 35 in the test), the test works again... i've also just verified this ttw by creating a simple five view and a file object. i can successfully access the title attribute using the view, even though view and access contents information permissions are set up so only the manager role can access the object. dropping in zope 2.10.3 things work as expected, that is an `Unauthorized` exception is raised. so, unless i'm completely wrong here, i'd say this is a pretty serious security whole, no? I'd say no. I believe this came from http://article.gmane.org/gmane.comp.web.zope.z3base.five/2225, and I believe it's a legitimate bugfix. Basically, I'd argue that .pt files for Five views are no less filesystem code than the .py files that house a view class. Previously, we had a weird situation where you got restrictedTraverse-like functionality using TALES (tal:replace='obj/attr') but not using python: expressions (tal:replace='python:obj.attr'). I have code which looks significantly funny or jumps through security hoops (arguably exposing too much information in the process) to deal with this bug (which is what I'd call it), and I'm really glad it's fixed. :) Obviously, this may be a problem for five.customerize, which needs to be more restrictive. I suspect five.customerize would've had a security hole with python: expressions, though. In any case, five.customerize is surely the exception here: The boundary between trusted and untrusted code has always been filesystem vs. TTW-editable. In general, this is only a security problem if: (a) a view is registered too loosely e.g. for * and could thus be used to inspect or modify objects that it wasn't really designed to deal with and (b) a view is registered for too liberal a permission; i.e. the permission to invoke the view is more widely available than the permission to access the attribute that the view is accessing on its context Even then, I think this is security-through-obscurity. If the variable in question was prepared/processed via python code in a view class, it'd never have been protected. In fact, if it was output using a python: expression rather than TALES, it would never have been protected. Martin -- Acquisition is a jealous mistress ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: vulnerability in zope 2.10.4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Zeidler wrote: hi, imho i've found a vulnerability in zope 2.10.4 or rather in the newer version of five (1.5.5) used by it. in `Five/browser/ pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the instantiate the page template engine used by five templates, or at least this is what i think it does. the problem with this is that `trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`) gets used to traverse path-expressions using `unrestrictedTraverse` (line 100), which means that i can access say the title of an otherwise private object with a simple obj/Title. i ran into this when one of my doctests[1] failed after upgrading from zope 2.10.3 to 2.10.4, because it could now access the title, even though permissions are explicitly set up beforehand to prevent this. using `createZopeEngine` instead of `createTrustedZopeEngine` didn't help with the test, unfortunately, since this would then raise an `Unauthorized` right away when rendering the `folder_contents` view. however, if i defer resetting the roles of the test user to just before the click on 'Delete' (line 35 in the test), the test works again... i've also just verified this ttw by creating a simple five view and a file object. i can successfully access the title attribute using the view, even though view and access contents information permissions are set up so only the manager role can access the object. dropping in zope 2.10.3 things work as expected, that is an `Unauthorized` exception is raised. so, unless i'm completely wrong here, i'd say this is a pretty serious security whole, no? No. It has been an accident that, until just recently, the filesystem-based templates in a Five view were running as untrusted code. Five's security model is designed around protecting access to the *view*, but then trusting the view author to do the Right Thing. THis is similar to the trust Zope places in filesystem-based code: within a method of a filesystem-basd class (or a module-scope funciton), the developer can use whatever methods or attributes she likes. So, for instance, it is possible for the author of the view class to write methods which exposed private attributes to the view's template, for instance (and has beenn since before Five was added to Zope). The model you have in mind governs untrusted (through-the-web) code, whether ZPT, DTML, or Python Script, and isn't relevant to Five views. Tres. - -- === Tres Seaver +1 540-429-0999 [EMAIL PROTECTED] Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlXrw+gerLs4ltQ4RAiBBAJsFDX9ESHgkQN57aRftypmtBCIAYgCgjDl6 ui7p8c1qIwr2rFr645uat2Q= =dAl0 -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: vulnerability in zope 2.10.4
On Jul 12, 2007, at 2:50 AM, Tres Seaver wrote: so, unless i'm completely wrong here, i'd say this is a pretty serious security whole, no? No. It has been an accident that, until just recently, the filesystem-based templates in a Five view were running as untrusted code. yep, martin's already told me the same on irc, along with the history of your fix. but thanks for the quick answer... So, for instance, it is possible for the author of the view class to write methods which exposed private attributes to the view's template, for instance (and has beenn since before Five was added to Zope). i know that, of course, but was assuming that rendering five views as untrusted code was intentional, especially since templates registered for * could potentially be pretty harmful. plus i wasn't expecting an imho significant change like that to happen in a bugfix release. but anyway, thanks for clarifying! :) andi -- zeidler it consulting - http://zitc.de/ - [EMAIL PROTECTED] friedelstraße 31 - 12047 berlin - telefon +49 30 25563779 pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/ sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007 PGP.sig Description: This is a digitally signed message part ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
