Andreas Zeidler wrote:
hi guys,
i think i just found a pretty nasty security issue in zope 2.10.4,
see http://mail.zope.org/pipermail/zope-dev/2007-July/029590.html for
a more detailed explaination. the bug gives you completely
unrestricted access in all view templates, which is probably not what
we want, even though they cannot be changed ttw. well, actually i
haven't tried customerizing them, but this actually should work...
anyway, if this turns out to hold true, i think we should either go
back to 2.10.3 for our rc1 or wait until this issue is fixed -- in
any case we shouldn't use 2.10.4 as is, imho. what do you think?
We certainly can't go back to 2.10.3, we depend on features and fixes in
2.10.4.
I think this is due to an issue I raised on the Five list a while back,
and which Tres fixed.
Basically, I'd argue that .pt files for Five views are no less
filesystem code than the .py files that house a view class. Previously,
we had a weird situation where you got restrictedTraverse-like
functionality using TALES (tal:replace='obj/attr') but not using python:
expressions (tal:replace='python:obj.attr').
I have code which looks significantly funny or jumps through security
hoops (arguably exposing too much information in the process) to deal
with this bug (which is what I'd call it), and I'm really glad it's
fixed. :)
Obviously, this may be a problem for five.customerize, which needs to be
more restrictive. I suspect five.customerize would've had a "security
hole" with python: expressions, though.
Martin
___
Framework-Team mailing list
Framework-Team@lists.plone.org
http://lists.plone.org/mailman/listinfo/framework-team
