Re: [Zope-dev] Security fixes from Plone hotfix ported to Zope ?

[Matthew Wilkes]

> Is  there any  plan to  make new  releases of  Zope 2.12  and  Zope 2.13
> integrating the  patches that  are meaningful for  pure-Zope (non-Plone)
> applications ?

Plone doesn't always use the latest version of Zope. These are backports.

Matt



smime.p7s
Description: S/MIME Cryptographic Signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security fixes from Plone hotfix ported to Zope ?

[Gael Le Mignot]

Hello,

Plone recently released a security hotfix with a dozen of patches in it
[1].

With a quick glance at the source code of those fixes, it seemed several
of them directly patch Zope, not Plone-related products.

Is  there any  plan to  make new  releases of  Zope 2.12  and  Zope 2.13
integrating the  patches that  are meaningful for  pure-Zope (non-Plone)
applications ?

[1] http://plone.org/products/plone/security/advisories/20130618-announcement

Regards,
-- 
Gaël Le Mignot - g...@pilotsystems.net
Pilot Systems - 82, rue de Pixérécourt - 75020 Paris
Tel : +33 1 44 53 05 55 - www.pilotsystems.net
Gérez vos contacts et vos newsletters : www.cockpit-mailing.com
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security vulnerabiity CVE 2011-3587: Arbitrary Code Execution

[Hanno Schlichting]

The Zope security response team is announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users. The hotfix for this vulnerability
was pre-announced last week.

This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary
commands with the privileges of the Zope service.

Versions Affected:  Zope 2.12.x and Zope 2.13.x.

Versions Not Affected: Zope 2.11.x, Zope 2.10.x or prior

You can either install the Hotfix as an egg release from
http://pypi.python.org/pypi/Products.Zope_Hotfix_CVE_2011_3587 or as
an old-style product release available from
http://download.zope.org/Zope2/hotfixes/Zope_Hotfix_CVE_2011_3587-v10.tar.gz.

Alternatively you can upgrade to the latest bugfix release of Zope.
Versions 2.12.20 and 2.13.10 will be released today and include the
fix for this vulnerability.

Please refer to
http://zope2.zope.org/news/security-vulnerability-announcement-cve-2011-3587
for more details.

The Plone community has also released a security hotfix today covering
an additional security issue. If you are using Plone, please refer to
http://plone.org/products/plone/security/advisories/20110928.

On behalf of the Zope security response team,
Hanno Schlichting
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Hotfix 20110622 released

[Laurence Rowe]

Last week, the Zope and Plone security teams announced the discovery
of a serious security issue affecting all recent versions of Zope and
Plone, as well as the planned release of a Hotfix to address this
issue to be made today, June 28th at 1500 UTC.

The Plone and Zope security teams are announcing that this security
hotfix is now available for download. For full instructions on how to
get and install the Hotfix, go here:
http://plone.org/products/plone-hotfix/releases/20110622

To find out more about the details of the issue, answers to common
questions and which versions of Zope and Plone are affected, please
see: http://plone.org/products/plone/security/advisories/20110622

Assistance in installing this hotfix is available free of charge via
IRC in #plone-tuneup. If you don't have in-house server administrators
or a service agreement supporting your website, you can find
consultancy companies under the providers section of Plone.org -
http://plone.org/support/network

On behalf of the Zope and Plone security teams,

Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security announcement update

[Sascha Welter]

(Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse:
> This is an update on today's security hotfix release.

Thank you for the update, most helpful!

> The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
> (11:00am US EDT.) Updated versions of Zope 2 containing the security
> fix will be released at the same time.
> 
> For details on which versions of Zope and Plone are affected, please
> see: http://plone.org/products/plone/security/advisories/20110622

It says "Zope 2.10 and 2.11 users who have not installed
PloneHotfix20110720 are not affected" - can I conclude from that,
that Zope 2.9 would not be affected either?

Regards,

Sascha

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security announcement update

[Laurence Rowe]

This is an update on today's security hotfix release.

The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
(11:00am US EDT.) Updated versions of Zope 2 containing the security
fix will be released at the same time.

For details on which versions of Zope and Plone are affected, please
see: http://plone.org/products/plone/security/advisories/20110622

For installation instructions, please see:
http://plone.org/products/plone-hotfix/releases/20110622

On behalf of the Zope and Plone security teams,

Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security announcement

[Laurence Rowe]

On behalf of the Plone and Zope Security Teams I'd like to draw your
attention to a security announcement that has just been published.

This is a pre-announcement only, it does not contain any vulnerability
details. Your sites are a safe today as they were yesterday.  However,
as the problem that has been found is so serious we are giving you
advance warning that a patch is upcoming and recommending that you
plan a maintenance period for your sites to coincide with the full
announcement on Tuesday next week.

Full details are available at
http://plone.org/products/plone/security/advisories/pre-announcement-20110622

You can feel free to ask more questions on the plone-users mailing
list or in the #plone IRC channel about details and how to protect
yourself, but it is important to make a plan for this now.  It is
important to plan down-time at the time specified in that announcement
or your site will potentially be at risk - following the release of a
hotfix for the previous serious security vulnerability we received
reports of automated attacks on unpatched sites.


Laurence
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] security problem in an monkey-patch

[Dieter Maurer]

Joachim Schmitz wrote at 2007-9-19 11:54 +0200:
>and
>
>../portal_catalog/getBypassQueue
>displays a 1

This looks like a security bug.

You should not be able to "call" something via the ZPublisher
what you cannot call in a script.

Maybe, you file a bug report?



-- 
Dieter
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] security problem in an monkey-patch

[Joachim Schmitz]

Hi,

I have monkey-patched the QueueCatalog to adopt it to our needs, which 
works fine. I now wanted to introduce a new feature:


The QueueCatalog should be bypassed during mass-import of data.
So I introduced a new variable "_bypass", and new getBypassQueue() and 
setBypassQueue methods in the monkey-patch:


security.declareProtected(view_management_screens, 'getBypassQueue')
def getBypassQueue(self):
"get _by_pass"
if not hasattr(self,"_bypass"):
self._bypass = False
return self._bypass

security.declareProtected(view_management_screens, 'setBypassQueue')
def setBypassQueue(self, bypass=False):
"set _bypass"
self._bypass = bypass

from Products.QueueCatalog.QueueCatalog import QueueCatalog
QueueCatalog.getBypassQueue = getBypassQueue
QueueCatalog.setBypassQueue = setBypassQueue


I can invoke these methods from the url like:

../portal_catalog/setBypassQueue?bypass=1

and

../portal_catalog/getBypassQueue
displays a 1

But when I do a:



I get:
Unauthorized: The container has no security assertions.  Access to 
'getBypassQueue' of (QueueCatalog at /uniben/portal_catalog) denied.


What I am missing here.


--
Gruß Joachim
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] (Security) Hotfix_20050405 Released (URL correction)

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Overview

  Zope Corporation has released a Zope hotfix product addressing a
  potential vulnerability discovered during a recent security audit
  of Zope 2.7 and 2.8.

Affected Versions

  The hotfix affects versions 2.7.5 and earlier of Zope on the 2.7
  release line, as well as versions 2.8a1 and 2.8a2 on the upcoming 2.8
  release line.  The vulnerability will be resolved in versions 2.7.6
  and 2.8b1.  We recommend that any site which permits untrusted users
  to write PythonScripts apply this hotfix, and upgrade to a fixed
  version of Zope as it becomes available.

Further Information

  Please see the "product README",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/README.txt
  for details on the vulnerability, and for instructions on installing
  the hotfix.

Downloading the Hotfix

  - "Unix tarball",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/Hotfix_20050405.tar.gz

  - "Windows ZIP archive",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/Hotfix_20050405.zip


Apologies for the earlier typoed URLs.

Tres Seaver.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  "Zope Dealers"   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUtIhGqWXf00rNCgRAitxAJ9Vualp5LLSrMQb1T799UWKa1UJoQCgmCJ2
EqH0Sj4RN0V8o1ldX6C1g90=
=1lBU
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] (Security) Hotfix_20050405 Released

[Tres Seaver]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Overview

  Zope Corporation has released a Zope hotfix product addressing a
  potential vulnerability discovered during a recent security audit
  of Zope 2.7 and 2.8.

Affected Versions

  The hotfix affects versions 2.7.5 and earlier of Zope on the 2.7
  release line, as well as versions 2.8a1 and 2.8a2 on the upcoming 2.8
  release line.  The vulnerability will be resolved in versions 2.7.6
  and 2.8b1.  We recommend that any site which permits untrusted users
  to write PythonScripts apply this hotfix, and upgrade to a fixed
  version of Zope as it becomes available.

Further Information

  Please see the "product README",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/README.txt
  for details on the vulnerability, and for instructions on installing
  the hotfix.

Downloading the Hotfix

  - "Unix tarball",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/Hotfix_20050405.tar.gz

  - "Windows ZIP archive",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/Hotfix_20050405.zip


Tres Seaver.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  "Zope Dealers"   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUsvGGqWXf00rNCgRAt3qAJ42sH4BIPP9+S1g+ZnpwS9YopcggQCfYnvw
hXfT3SOxuL1y1adv5zmv3v8=
=smRT
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security declarations vanish over time?!

[Chris Withers]

Hi there,

I have a little help class:

class NamesProxy:

__allow_access_to_unprotected_subobjects__=1

def __init__(self,names):
self.names=names
def __getitem__(self,item):
return self.names[item]
def __len__(self):
return len(self.names)
...which lets me do batches over .objectValues() of BTreeFolders without ZOpe's 
security whining.

Any, so that I can do:


...I have the following in MyProduct's __init__.py:

from AccessControl import ModuleSecurityInfo
ModuleSecurityInfo('Products').declarePublic('MyProduct')
security = ModuleSecurityInfo()
# make NamesProxy usable from PageTemplates
from namesproxy import NamesProxy
security.declarePublic('NamesProxy')
security.apply(globals())
...all well and good, yes?

Okay, now it gets weird :-S

This works fine for a while (as in period of time) and then you start getting 
errors of the following sort:

  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/TALES.py, line 
217, in evaluate
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 206, in __call__
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 194, in _eval
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 150, in _eval
(Info: modules)
  File /usr/local/zope/2.6.1/lib/python/Products/PageTemplates/Expressions.py, 
line 346, in restrictedTraverse
(Object: Products.ScreenDigest)
(Info: {'path': ['Products', 'MyProduct', 'NamesProxy'], 
'TraversalRequestNameStack': []})
Unauthorized: You are not allowed to access NamesProxy in this context

What gives?

Weirder still, this can be fixed by restarting Zope... until the next time it 
starts doing it :-(

Any ideas?

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security validation issue

[Herman Geldenhuys]

Hi

> Herman Geldenhuys wrote:
>
> > I've written a Zope product that exposes a "MenuItem". I add a menuItem
> > in a Zope folder, and I have no difficulty accessing and editing it via
> > the ZMI. I've written an xml-rpc-like protocol for Zope, that basically
> > validates the security "manually".
>
> What do you mean by "manually"?

By manually I mean that I have to do the validation myself. I have written a
new protocol that plugs into the Zope application server. It's called OZE
and I am about to release the source on sourceforge. Its an RPC-like
protocol. But in a nutshell, I must do the security validation myself,
because I bypass a few usual-Zope elements in the framework.

I will gladly answer any other questions, but will this satisfy for now?

H

- Original Message - 
From: "Chris Withers" <[EMAIL PROTECTED]>
To: "Herman Geldenhuys" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, January 30, 2004 10:48 AM
Subject: Re: [Zope-dev] Security validation issue


> Herman Geldenhuys wrote:
>
> > I've written a Zope product that exposes a "MenuItem". I add a menuItem
> > in a Zope folder, and I have no difficulty accessing and editing it via
> > the ZMI. I've written an xml-rpc-like protocol for Zope, that basically
> > validates the security "manually".
>
> What do you mean by "manually"?
>
> > This code works for any other default Zope type, but not mine. Did I
> > perhaps forgot a permission or something?
>
> Did you do security declarations for that method?
>
> > I can access this fine via the ZMI, but when I validate it this way,
> > python just starts cursing at me.
>
> Why are you doing you own validation? ;-)
>
> cheers,
>
> Chris
>


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security validation issue

[Chris Withers]

Herman Geldenhuys wrote:

I've written a Zope product that exposes a "MenuItem". I add a menuItem 
in a Zope folder, and I have no difficulty accessing and editing it via 
the ZMI. I've written an xml-rpc-like protocol for Zope, that basically 
validates the security "manually".
What do you mean by "manually"?

This code works for any other default Zope type, but not mine. Did I 
perhaps forgot a permission or something?
Did you do security declarations for that method?

I can access this fine via the ZMI, but when I validate it this way, 
python just starts cursing at me.
Why are you doing you own validation? ;-)

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security validation issue

[Herman Geldenhuys]

I've written a Zope product that exposes a 
"MenuItem". I add a menuItem in a Zope folder, and I have no difficulty 
accessing and editing it via the ZMI. I've written an xml-rpc-like protocol 
for Zope, that basically validates the security "manually". 
 
This menuItem has an attribute called "def 
getVersion(self):" which returns an int.
 
This is the Code that prevents me from accessing 
the method in python, via my protocol:
 
if not 
AccessControl.getSecurityManager().validate(None, object, 
attributes[-1]):    
raise UnauthorisedAccessException('Unauthorised: ' + 
originalAddress)
 
object = >
  
This is the method getVersion
 
attributes[-1] = 
"getVersion" (string)
 
UnauthorisedAccessException: Unauthorised: 
menus.administration.addUser.getVersion
 
This code works for any other default Zope type, 
but not mine. Did I perhaps forgot a permission or something?
 
I can access this fine via the ZMI, but when I 
validate it this way, python just starts cursing at me.
 
Can somebody help?
 
Thanks
 
H
 
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security audit introduced problem in PageTemplates/Expression.py

[Stuart Bishop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 13/01/2004, at 4:19 PM, Stuart Bishop wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:
As well as in other locations such as ZopeGuards.py.

I've opened http://collector.zope.org/Zope/1182 with some
example code.
Anyone know if None is being passed as the name in some locations?
I don't think it would be helpful for me to go around reversing
code changed by a security audit without some background.
- --  Stuart Bishop <[EMAIL PROTECTED]>
http://www.stuartbishop.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFABgNqAfqZj7rGN0oRApeyAJ0Y4BzVbQfOdq2rpaH/m1e9cip/RACfUqzq
i1nr0FrFG544SCKh7dReZVk=
=4TUc
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security audit introduced problem in PageTemplates/Expression.py

[Stuart Bishop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:
***
*** 312,318 
  # Skip directly to item access
  o = object[name]
  # Check access to the item.
! if not validate(object, object, name, o):
  raise Unauthorized, name
  object = o
  continue
- --- 307,313 
  # Skip directly to item access
  o = object[name]
  # Check access to the item.
! if not validate(object, object, None, o):
  raise Unauthorized, name
  object = o
  continue
***
*** 367,373 
  raise
  else:
  # Check access to the item.
! if not validate(object, object, name, o):
  raise Unauthorized, name
  object = o
- --- 362,368 
  raise
  else:
  # Check access to the item.
! if not validate(object, object, None, o):
  raise Unauthorized, name
  object = o
This has the side effect of not passing the name attribute to
my security assertion methods registered via
ClassSecurityInfo.setDefaultAccess:
class Foo(blah, blah, blah):
security = ClassSecurityInfo()
def _checkAccess(self, name, value):
if name.startswith('CG'):
return 1
return 0
security.setDefaultAccess(_checkAccess)
def __getitem__(self, key):
''' Access via dictionary interface, with security
provided via _checkAccess
'''
return 'example'
Reversing the changes to Expression.py seems to break lots of
things (including SiteErrorLog), so I'm sure this is much more
involved.
Can anyone shed light onto what is going on?

- --  
Stuart Bishop <[EMAIL PROTECTED]>
http://www.stuartbishop.net/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAA4AFAfqZj7rGN0oRArWMAJ96sb9wKkx9qqstiB+78cZ1LrtW8ACggNX8
+uCQkzQGvbgIzW8Sb4C9kAE=
=7xyW
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] security issue

[Toby Gustafson]

Hello,

   I am having a problem accessing a function defined in a product I have
created and installed.

   The product is called StoreEvent, and it was created using the
PloneMinimalInstall as a guide.

   In the StoreEvent product is a file called StoreEvent, which contains a
function searchForStoreEvents.  This function is outside of the StoreEvent
class which is also defined in the file.

   I have created a page template which contains a form, and when the form
is submitted, a script is executed.  From that script I try to call the
function with the lines:

   from Products.StoreEvent import StoreEvent

   ...

   storeEvents = StoreEvents.searchForStoreEvents(context, ...)

When I bring up the page and submit it, I get a popup asking me to enter a
username and password.  When I cancel that, I get an error page with the
message "You are not allowed to access searchForStoreEvents in this
context".

I have read the security document at:

   http://www.zope.org/Documentation/Books/ZDG/current/Security.stx

and have tried adding several things to my StoreEvent.__init__.py file,
such as:

   modulesecurity = ModuleSecurityInfo()
   modulesecurity.declarePublic( \
 'Products.StoreEvent.searchForStoreEvents')
   modulesecurity.apply(globals())

However, nothing seems to work.  Anybody have any idea what I am doing
wrong.

Thanks in advance,
--Toby.
---
Toby Gustafson
Senior Software Engineer
Tyrell Software Corporation
Email: [EMAIL PROTECTED]
---



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] security issue

[Dieter Maurer]

Toby Gustafson wrote at 2003-8-14 04:35 -0700:
 > ...
 >I am having a problem accessing a function defined in a product I have
 > created and installed.
 > ...
 > From that script I try to call the
 > function with the lines:
 > 
 >from Products.StoreEvent import StoreEvent
 > 
 >...
 > 
 >storeEvents = StoreEvents.searchForStoreEvents(context, ...)
 > 
 > ...
 > "You are not allowed to access searchForStoreEvents in this
 > context".
 > 
 > I have read the security document at:
 > 
 >http://www.zope.org/Documentation/Books/ZDG/current/Security.stx
 > 
 > and have tried adding several things to my StoreEvent.__init__.py file,
 > such as:
 > 
 >modulesecurity = ModuleSecurityInfo()
 >modulesecurity.declarePublic( \
 >  'Products.StoreEvent.searchForStoreEvents')
 >modulesecurity.apply(globals())

"ModuleSecurityInfo" is quite complex. I do not understand it completely.

However, I see one error in your code: in your "declarePublic",
one "StoreEvent" is missing.
Your "seachForStoreEvents" is at
'Products.StoreEvent.StoreEvent.searchForStoreEvents'

 > However, nothing seems to work.  Anybody have any idea what I am doing
 > wrong.

The "AccessControl.allow_module" may be simpler to use
(however, it make available the complete module content).


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Problem

[Shane Hathaway]

Steve Alexander wrote:


Shane Hathaway <[EMAIL PROTECTED]> wrote:


Do you not want foo to have the Manager role?




Andre Schubert wrote:


No, because he is no longer in our company.



Shane Hathaway <[EMAIL PROTECTED]> wrote:


I think you're asking for a "find + chown" utility, right?  I don't 
know of one, but it sure would be nice to have. :-)



Andre Schubert wrote:


It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)



Andre,

Don't treat this so lightly! When you take ownership of objects where 
foo is the owner, you are telling Zope that you take responsibility for 
those objects.

For example, let's say foo had written a python script for removing all 
of her files older than one day.

Here's some pseudocode:

  For all files older than one day:
try:
  remove the file
except PermissionError:
  pass

This will work, provided foo has rights to delete only foo's files.
If you take ownership of such a script, and you run it, then it will 
very different effects.

Also, if you are a Manager (or in another privaleged role), and you take 
ownership of such a script, you may be allowing others to delete their 
own files when they run that script, whereas before nothing much would 
have happened.

To clarify, those users still need to have the privilege of deleting 
those files.  Executable ownership only reduces privileges.

In 99% of cases, none of this will be a problem. However, you should 
take care when taking ownership of objects, especially objects that 
represent code such as python scripts and dtml methods and page templates.

I feel like Zope doesn't present the concept of executable ownership 
properly to the user.  I've run into this issue myself--the lifetime of 
executables frequently extends beyond the life of the associated 
username.  You never know when deleting a user or removing user roles 
will break code throughout the site.  Like Andre, all I wanted to do was 
restore the privileges the code had before.

So for Zope 3 I've pondered some way of separating executables from 
usernames, while retaining the properties we have today.  It seems like 
executables should rely on a different service for determining 
executable privileges than the user database.

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Problem

[Steve Alexander]

Shane Hathaway <[EMAIL PROTECTED]> wrote:

Do you not want foo to have the Manager role?


Andre Schubert wrote:

No, because he is no longer in our company.


Shane Hathaway <[EMAIL PROTECTED]> wrote:

I think you're asking for a "find + chown" utility, right?  I don't know 
of one, but it sure would be nice to have. :-)

Andre Schubert wrote:

It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)


Andre,

Don't treat this so lightly! When you take ownership of objects where 
foo is the owner, you are telling Zope that you take responsibility for 
those objects.

For example, let's say foo had written a python script for removing all 
of her files older than one day.

Here's some pseudocode:

  For all files older than one day:
try:
  remove the file
except PermissionError:
  pass

This will work, provided foo has rights to delete only foo's files.
If you take ownership of such a script, and you run it, then it will 
very different effects.

Also, if you are a Manager (or in another privaleged role), and you take 
ownership of such a script, you may be allowing others to delete their 
own files when they run that script, whereas before nothing much would 
have happened.


In 99% of cases, none of this will be a problem. However, you should 
take care when taking ownership of objects, especially objects that 
represent code such as python scripts and dtml methods and page templates.

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Problem

[Andre Schubert]

On Tue, 18 Feb 2003 12:01:45 -0500
Shane Hathaway <[EMAIL PROTECTED]> wrote:

> On 02/18/2003 09:16 AM, Andre Schubert wrote:
> > I try to explain what happens. Lets say i have a user called foo who
> > has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
> > a folder called bar and foobar. foobar is called from inside bar
> > (). He also created a Role MSAdmin. bar is
> > accessible and visible by Anonymous Users. foobar is accessible and
> > visible by MSAdmin and Manager. If i view bar and login as a user
> > with MSAdmin-Roles everything works fine. But if i remove the
> > Manager-Role from foo who has created the two DTMLMethods i get the
> > above error.
> 
> Do you not want foo to have the Manager role?

No, because he is no longer in our company.

> 
> > I have the same problem with a really big Zope-Site where i have the
> > remove Manager-Roles from a specific user. The only solution i have
> > found is to recreate the DTMLMethods, but it is very hard to
> > reacreate all DTMLMethods created by foo.
> 
> I think you're asking for a "find + chown" utility, right?  I don't know 
> of one, but it sure would be nice to have. :-)
> 

It would be very nice to have such a tool :)

BTW: Thanks for the quick answers, you help me to understand the problem.
 I take the ownership of all objects where foo was the owner
 and the problems should go away :)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Problem

[Dieter Maurer]

Andre Schubert wrote at 2003-2-18 15:16 +0100:
 > ...
 > Error Type: Unauthorized
 > Error Value: The owner of the executing script does not have the required 
 >permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access 
 >requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The 
 >executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles 
 >['Authenticated', 'Owner'].
 > 
 > I try to explain what happens.
 > Lets say i have a user called foo who has Manager-Roles across a Zope-site.
 > foo has added 2 DTMLMethods to a folder called bar and foobar.
 > foobar is called from inside bar ().
 > He also created a Role MSAdmin.
 > bar is accessible and visible by Anonymous Users.
 > foobar is accessible and visible by MSAdmin and Manager.
 > If i view bar and login as a user with MSAdmin-Roles everything works fine.
 > But if i remove the Manager-Role from foo who has created the two DTMLMethods i get 
 >the above error.

That is precisely, as it should be.

You may consider to take ownership of your executing script and
give it to a user with role "MSAdmin".


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Problem

[Joachim Werner]

Andre Schubert schrieb:

Hi all,

i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:

Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. Access to 'foobar' of (Folder instance at 932b600) denied. Access requires View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles ['Authenticated', 'Owner'].

I try to explain what happens.
Lets say i have a user called foo who has Manager-Roles across a Zope-site.
foo has added 2 DTMLMethods to a folder called bar and foobar.
foobar is called from inside bar ().
He also created a Role MSAdmin.
bar is accessible and visible by Anonymous Users.
foobar is accessible and visible by MSAdmin and Manager.
If i view bar and login as a user with MSAdmin-Roles everything works fine.
But if i remove the Manager-Role from foo who has created the two DTMLMethods i get the above error.

I have the same problem with a really big Zope-Site where i have the remove Manager-Roles
from a specific user. The only solution i have found is to recreate the DTMLMethods, but
it is very hard to reacreate all DTMLMethods created by foo.

I hope somebody has another hint for me. :)


Non-authoritative answer:

As far as I know the problem is ownership. If you want to access objects 
whose owner is gone you get into trouble.

So there are probably two solutions:

a) DO NOT delete the owner
b) Let somebody else take over the ownership



--

iuveno AG

Joachim Werner

_

Wittelsbacherstr. 23b
90475 Nürnberg

[EMAIL PROTECTED]
www.iuveno.de

Tel.: +49 (0) 911/ 9 88 39 84


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Problem

[Shane Hathaway]

On 02/18/2003 09:16 AM, Andre Schubert wrote:

I try to explain what happens. Lets say i have a user called foo who
has Manager-Roles across a Zope-site. foo has added 2 DTMLMethods to
a folder called bar and foobar. foobar is called from inside bar
(). He also created a Role MSAdmin. bar is
accessible and visible by Anonymous Users. foobar is accessible and
visible by MSAdmin and Manager. If i view bar and login as a user
with MSAdmin-Roles everything works fine. But if i remove the
Manager-Role from foo who has created the two DTMLMethods i get the
above error.


Do you not want foo to have the Manager role?


I have the same problem with a really big Zope-Site where i have the
remove Manager-Roles from a specific user. The only solution i have
found is to recreate the DTMLMethods, but it is very hard to
reacreate all DTMLMethods created by foo.


I think you're asking for a "find + chown" utility, right?  I don't know 
of one, but it sure would be nice to have. :-)

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Security-Problem

[Andre Schubert]

Hi all,

i have a little Security-Problem which results in the following Error
reported by Shane Hathaway's nice VerboseSecurity:

Error Type: Unauthorized
Error Value: The owner of the executing script does not have the required permission. 
Access to 'foobar' of (Folder instance at 932b600) denied. Access requires 
View_Permission, granted to the following roles: ['MSAdmin', 'Manager']. The executing 
script is (DTMLMethod instance at 8c8a508), owned by foo, who has the roles 
['Authenticated', 'Owner'].

I try to explain what happens.
Lets say i have a user called foo who has Manager-Roles across a Zope-site.
foo has added 2 DTMLMethods to a folder called bar and foobar.
foobar is called from inside bar ().
He also created a Role MSAdmin.
bar is accessible and visible by Anonymous Users.
foobar is accessible and visible by MSAdmin and Manager.
If i view bar and login as a user with MSAdmin-Roles everything works fine.
But if i remove the Manager-Role from foo who has created the two DTMLMethods i get 
the above error.

I have the same problem with a really big Zope-Site where i have the remove 
Manager-Roles
from a specific user. The only solution i have found is to recreate the DTMLMethods, 
but
it is very hard to reacreate all DTMLMethods created by foo.

I hope somebody has another hint for me. :)

Regards, as

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security problems importing from python package.

[Chris Withers]

Clemens Robbenhaar wrote:

 If one tries to import the code from a python script, the security
machinery first check, if the module has some security info, and imports
it afterwards, if the info is found. But as the module is not imported
anyway, it is not initialized, and has not such info and thus will not
be allowed for import. 

This is a very helpful analysis. I've updated the collector issue:
http://collector.zope.org/Zope/685

Does anyone have an idea of the correct way to fix this?

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security problems importing from python package.

[Clemens Robbenhaar]

At Thu, 21 Nov 2002 12:16:09 +, Chris Withers wrote:

 > I'm trying to get stripogram working from Script(Pythons). I thought I had it, 
 > but it appears I don't.
 > 
 > I added the following in the __init__.py of the stripogram package:
 > 
 > try:
 >  from AccessControl import ModuleSecurityInfo,allow_module
 > except ImportError:
 >  # no Zope around
 >  raise
 > else:
 >  allow_module('stripogram')
 >  ModuleSecurityInfo('stripogram').declareObjectPublic()
 >  ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')
 > 

 This issue is most probably resolved somewhere in between, but I can
not find any trace of this at [EMAIL PROTECTED] nor [EMAIL PROTECTED], thus I
drop in my 2 cents here.


  I did just now run into a similar problem, and may offer the following
explanation after some debugging:

 It seems the 'allow_module', etc, gets not executed by Zope in advance,
except if this is the __init__.py of a 'Product', or this module is
imported by some core module or product. This is quite standard python
behaviour; the module is not initialized before import, and Zope does
some extra work to initialize all products on startup.


 If one tries to import the code from a python script, the security
machinery first check, if the module has some security info, and imports
it afterwards, if the info is found. But as the module is not imported
anyway, it is not initialized, and has not such info and thus will not
be allowed for import. 
 It seems there is some chicken and egg problem here, or I have missed
something completely.

 The workaround is to insert a dummy 'import stripogram' in some
product, which triggers the security info creation -- or make the little
helper scripts a product of its own.


 > I don't think either the allow_module or the declareObjectPublic() should be 
 > necessary. However, the declareObjectPublic at least made this test pass:
 > 
 >  from Products.PythonScripts.PythonScript import PythonScript
 >  theScript = PythonScript('test')
 >  theScript.ZBindings_edit({})
 >  theScript.write("from stripogram import html2text\nreturn 
 > html2text('hello')")
 >  theScript._makeFunction()
 >  self.assertEqual(theScript(),'hello')
 > 

This works, as Your test code imports something via file system (no
access restriction) from module "stripogram" first and then creates the
test script, which finds the module info on import as the module is
intialized yet.

 > But even adding the 'allow_module' won't let the following Script (Python) 
 > created through the ZMI work:
 > 
 > from stripogram import html2text
 > 
 > The error I get is:
 > 
 >   Error Type: ImportError
 > Error Value: import of "stripogram" is unauthorized

 In this case the module has not been initialized yet, and the TTW
access is the first import, which failes due to the security
restrictions problem mentioned above.


 Hope this helps; and hope someone can point me out I am wrong on the
chicken and egg problem of 'non-Product' module import. 


Cheers,
Clemens 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security problems importing from python package.

[Chris Withers]

Hi,

I'm trying to get stripogram working from Script(Pythons). I thought I had it, 
but it appears I don't.

I added the following in the __init__.py of the stripogram package:

try:
from AccessControl import ModuleSecurityInfo,allow_module
except ImportError:
# no Zope around
raise
else:
allow_module('stripogram')
ModuleSecurityInfo('stripogram').declareObjectPublic()
ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')

I don't think either the allow_module or the declareObjectPublic() should be 
necessary. However, the declareObjectPublic at least made this test pass:

from Products.PythonScripts.PythonScript import PythonScript
theScript = PythonScript('test')
theScript.ZBindings_edit({})
theScript.write("from stripogram import html2text\nreturn 
html2text('hello')")
theScript._makeFunction()
self.assertEqual(theScript(),'hello')

But even adding the 'allow_module' won't let the following Script (Python) 
created through the ZMI work:

from stripogram import html2text

The error I get is:

 Error Type: ImportError
Error Value: import of "stripogram" is unauthorized

  File \lib\python\Products\PythonScripts\PythonScript.py, line 302, in _exec
(Object: tester)
(Info: ({'script': , 'context': 
, 'container': , 'traverse_subpath': []}, (), {}, None))
  File Script (Python), line 1, in tester
  File \lib\python\AccessControl\ZopeGuards.py, line 153, in guarded_import
ImportError: (see above)

What am I doing wrong? Why doesn't this code behave as advertised in
Products/PythonScripts/module_access_examples.py?

cheers,

Chris



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Testing

[Eron Lloyd]

Maybe this would be a good opportunity to evaluate Puffin 
(www.puffinhome.org)? Security API calls through unit tests are one thing, 
but testing the whole functioning system from the outside seems like the best 
approach. Puffin should be a Zope partner, IMHO.

Regards,

Eron

On Monday 14 October 2002 10:49 am, Chris Withers wrote:
> Hi,
>
> I'd like to build a suite of security tests for a product I'm writing using
> unittest.py.
>
> Is this possible?
>
> I thought about using newSecurityManager with various known users, and
> restrictedTraverse to get to the appropriate methods, but then how do I
> test if those methods are callable?
>
> cheers,
>
> Chris
>
> PS: How is all this being tackled in Zope 3?
>
>
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
> ---
> [This E-mail scanned for viruses by Declude Virus]

-- 
Eron Lloyd
Technology Coordinator
Lancaster County Library
[EMAIL PROTECTED]
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Testing

[Stefan H. Holek]

Chris!

You might want to take a look at my ZopeTestCase package. It supports Zope 
security testing with users, roles, permissions and all.


Also see the tests coming with the ReplaceSupport and DocFinderEverywhere 
products. In essence restrictedTraverse() will work. Alternatively you 
could call getSecurityManager().validate() or .validateValue() directly.

HTH,
Stefan


--On Montag, 14. Oktober 2002 15:49 +0100 Chris Withers <[EMAIL PROTECTED]> 
wrote:

> Hi,
>
> I'd like to build a suite of security tests for a product I'm writing
> using unittest.py.
>
> Is this possible?
>
> I thought about using newSecurityManager with various known users, and
> restrictedTraverse to get to the appropriate methods, but then how do I
> test if those methods are callable?
>
> cheers,
>
> Chris
>
> PS: How is all this being tackled in Zope 3?
--
Those who write software only for pay should go hurt some other field.
/Erik Naggum/

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Testing

[Chris Withers]

Hi,

I'd like to build a suite of security tests for a product I'm writing using 
unittest.py.

Is this possible?

I thought about using newSecurityManager with various known users, and 
restrictedTraverse to get to the appropriate methods, but then how do I test if 
those methods are callable?

cheers,

Chris

PS: How is all this being tackled in Zope 3?


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Bug

[Dieter Maurer]

Andre Schubert writes:
 > If i have the permission to view the management screens i be able to add Zope 
 >Permissions... is this a security bug or not ?
It probably is.

I have been really unable to read this from your previous report, sorry!


Dieter


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security-Bug

[Andre Schubert]

On Wed, 8 May 2002 23:04:08 +0200
"Dieter Maurer" <[EMAIL PROTECTED]> wrote:

> Andre Schubert writes:
>  > could this be a bug in the security-machinery?
>  > 
>  > Lets say we have a role foo, this role has the permission to view the management 
>screens.
>  > Lets say we have a user bar which has the role foo.
>  > 
>  > If i login into the ZMI a be able to go to
>  > Control_Panel/Products.
>  > And now if i want i be able to add a Zope Permission in every Product-Folder i 
>found.
>  > 
>  > Testet with Zope 2.4.3
>  > 
>  > Do i have misset any security-permissions or is this really a bug?
> I do not understand what your problem is...
> 
>   What does not work?
>   
> 
> Dieter
> 
If i have the permission to view the management screens i be able to add Zope 
Permissions... is this a security bug or not ?


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[vio]

* Phillip J. Eby <[EMAIL PROTECTED]> [020119 12:04]:
> ...
> IMHO, you don't want to share a security object between more than one 
> class, since presumably they will have different declarations and thus each 
> require their own.  So there's no reason to create a ClassSecurityInfo 
> object at the module level, anyway.

Good point. Actually, I only declared ClassSecurityInfo object at the module
level out of convenience: I thought each class (presuming there were more
than one in the module) could reference that same security object, so maybe
save a few CPU cycles in the process (plus, I saw this done in some product
I used as a learning example). But your point is well taken ... plus 
module-level security declarations have no effect at the class level.

Vio

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[Phillip J. Eby]

At 10:43 AM 1/19/02 -0500, vio wrote:
>* vio <[EMAIL PROTECTED]> [020119 09:56]:
>
>So Globals.InitializeClass(your_class) finds the declaration
>'security.declareSomething()' inside a class, but 'security' being
>a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has
>no effect at the class level (while I wrongly thought that by declaring it
>at the module level like that, it will behave more or less like a 'global'
>variable). I wonder what was carried at the class level, but something
>definitely was, else Python would have thrown something ugly at me.

Check the Python reference manual -- not the library reference, but the 
language definition.  You'll find that Python has two primary scopes: 
"local" and "global".  When a class statement is executing, the "local" 
namespace is the future __dict__ of the class, and the global namespace is 
the module __dict__.  If "security.Foo()" is in the body of a class, and 
"security" is not in the *local* namespace (i.e. already defined in the 
class body), then it will be looked up in the global namespace.  Thus, your 
calls went to the module-level "security", but no "security" object was 
present in the resulting class (because there was no statement placing one 
there).

IMHO, you don't want to share a security object between more than one 
class, since presumably they will have different declarations and thus each 
require their own.  So there's no reason to create a ClassSecurityInfo 
object at the module level, anyway.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[vio]

You are right, I struggled a lot to understand Zope's declarative security 
model. And I am still learning, so practice makes better. I didn't read 
Globals.InitializeClass() source, and I wrote my following comments out of the 
blue. Developping an error-correcting system might still be a little out
of my league, for now.
Anyway, the important thing is that your initial comments regarding Boring.py
were right on target: 'security = ClassSecurityInfo()' must be declared
INSIDE the class. It really solved my problem. 
Thanks again !!!

Cheers,
Vio


* Steve Alexander <[EMAIL PROTECTED]> [020119 11:05]:
> vio wrote:
> 
> 
> 
> > So Globals.InitializeClass(your_class) finds the declaration 
> > 'security.declareSomething()' inside a class, but 'security' being
> > a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
> > no effect at the class level (while I wrongly thought that by declaring it
> > at the module level like that, it will behave more or less like a 'global'
> > variable).
> 
> 
> 
> > In my opinion, Globals.InitializeClass() should check such calls to
> > security methods
> 
> You appear not to understand how Python and the declarative security 
> system in Zope work.
> 
> Globals.InitializeClass() does not read the source to your modules. You 
> would need some sort of "lint" tool to perform the checking you describe.
> 
> 
> Why not try to implement a simple case of the error-correcting system 
> that you describe? You might want to extend an existing lint tool such 
> as PyChecker, to take account of conventions used in Zope products.
> 
>http://pychecker.sourceforge.net/
> 
> --
> Steve Alexander

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[Steve Alexander]

vio wrote:



> So Globals.InitializeClass(your_class) finds the declaration 
> 'security.declareSomething()' inside a class, but 'security' being
> a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
> no effect at the class level (while I wrongly thought that by declaring it
> at the module level like that, it will behave more or less like a 'global'
> variable).



> In my opinion, Globals.InitializeClass() should check such calls to
> security methods

You appear not to understand how Python and the declarative security 
system in Zope work.

Globals.InitializeClass() does not read the source to your modules. You 
would need some sort of "lint" tool to perform the checking you describe.


Why not try to implement a simple case of the error-correcting system 
that you describe? You might want to extend an existing lint tool such 
as PyChecker, to take account of conventions used in Zope products.

   http://pychecker.sourceforge.net/

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[vio]

* vio <[EMAIL PROTECTED]> [020119 09:56]:
> vio wrote:
> > Just a word to thank you for your reply. 
> > But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
> > to throw an error
> > or a warning of some kind for hanging 'security.stuff()' declarations,
> > declarations which do not have a related ClassSecurityInfo object AT THE
> > CLASS LEVEL? 
> 
> That would be a fine idea. Unfortunately, there is no straightforward 
> way telling that you called methods on the security object in the class 
> definition.

Why not simply check for the keyword 'security.' in the class source ? 
Anything beginning with that word most probably has something to do with 
security. But if 'security' is not a reference to a security object,
just throw an exception. This would make everything so much simpler.

> 
> When you call Globals.InitializeClass(your_class), it looks for a 
> ClassSecurityInfo object, and doesn't find one.


If I understood correctly, this should be treated like an error:
not allow the programmer to have calls to security methods which
aren't there, because that's more or less what's happening here. And
definitely not be silent about it !!! That's a syntax error or something.

So Globals.InitializeClass(your_class) finds the declaration 
'security.declareSomething()' inside a class, but 'security' being
a reference to a ClassSecurityInfo object AT THE MODULE LEVEL somehow has 
no effect at the class level (while I wrongly thought that by declaring it
at the module level like that, it will behave more or less like a 'global'
variable). I wonder what was carried at the class level, but something 
definitely was, else Python would have thrown something ugly at me.

In my opinion, Globals.InitializeClass() should check such calls to
security methods, and by all means NOT remain silent if it can not carry out 
the call because it couldn't find a ClassSecurityInfo object's method. 
Throw a 'method not found' error or something like that. 
Silence = 'bad'. I'll even say it's a bug.

Vio

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[Steve Alexander]

vio wrote:
> Just a word to thank you for your reply. 
> But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
> to throw an error
> or a warning of some kind for hanging 'security.stuff()' declarations,
> declarations which do not have a related ClassSecurityInfo object AT THE
> CLASS LEVEL? 

That would be a fine idea. Unfortunately, there is no straightforward 
way telling that you called methods on the security object in the class 
definition.

When you call Globals.InitializeClass(your_class), it looks for a 
ClassSecurityInfo object, and doesn't find one.

The fact that your class definition had the side-effect of altering the 
module's security object doesn't leave any traces in the class object 
that results from your definition.

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[vio]

Just a word to thank you for your reply. 
But incidently, wouldn't it be a good idea for Globals.InitializeClass() 
to throw an error
or a warning of some kind for hanging 'security.stuff()' declarations,
declarations which do not have a related ClassSecurityInfo object AT THE
CLASS LEVEL? To the unaware beginner (like myself) this creates
a very obscure bug: the declaration at the module level 'hiding' the missing
ClassSecurityInfo object (at the class level). I see some other discussions
on this list on this topic, so maybe this problem is already being addressed.
Anyway, I would never have found this alone by a long shot. Thanks.
Sorry for the cross-post.

* Steve Alexander <[EMAIL PROTECTED]> [020118 15:43]:
> vio wrote:
>  > Could someone have a look at the following 'Boring' class with the
>  > security functionality added (as described in ZopeBook/6.Security
>  > and some other products). Could 'security' machinery be broken in
>  > Zope-2.4.1 ? It surely doesn't seem to work as adverised, on my
>  > machine at least (Debian Linux 2.2, Zope 2.4.1 (source release)
>  > python 2.1.0, linux2). Tell me if it works on your installation.
> 
>  >
>  > Boring.py  __doc__ = "" __version__
>  > = '0.1' import Globals from Globals import HTMLFile  # fakes a
>  > method from a DTML file from Globals import MessageDialog # provid from
>  > Globals import Persistent# makes an object stick in the ZODB import
>  > OFS.SimpleItem import Acquisition import AccessControl.Role from
>  > AccessControl import ClassSecurityInfo
>  >
>  > READ_PERM = 'View Stuff' WRITE_PERM = 'Change Stuff' security =
>  > ClassSecurityInfo()
> 
> 
> You have declared your ClassSecurityInfo object at the module level,
> rather than as an attribute of the class you wish to make security
> statements about.
> 
> Please do not cross-post to both [EMAIL PROTECTED] and [EMAIL PROTECTED] 
> Post to one or the other.
> 
> --
> Steve Alexander

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Gurus Wanted

[Steve Alexander]

vio wrote:
 > Could someone have a look at the following 'Boring' class with the
 > security functionality added (as described in ZopeBook/6.Security
 > and some other products). Could 'security' machinery be broken in
 > Zope-2.4.1 ? It surely doesn't seem to work as adverised, on my
 > machine at least (Debian Linux 2.2, Zope 2.4.1 (source release)
 > python 2.1.0, linux2). Tell me if it works on your installation.

 >
 > Boring.py  __doc__ = "" __version__
 > = '0.1' import Globals from Globals import HTMLFile  # fakes a
 > method from a DTML file from Globals import MessageDialog # provid from
 > Globals import Persistent# makes an object stick in the ZODB import
 > OFS.SimpleItem import Acquisition import AccessControl.Role from
 > AccessControl import ClassSecurityInfo
 >
 > READ_PERM = 'View Stuff' WRITE_PERM = 'Change Stuff' security =
 > ClassSecurityInfo()


You have declared your ClassSecurityInfo object at the module level,
rather than as an attribute of the class you wish to make security
statements about.

Please do not cross-post to both [EMAIL PROTECTED] and [EMAIL PROTECTED] 
Post to one or the other.

--
Steve Alexander


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Gurus Wanted

[vio]

Could someone have a look at the following 'Boring' class with the security 
functionality added (as described in ZopeBook/6.Security and some other products). 
Could 'security' machinery be broken in Zope-2.4.1 ? It surely doesn't seem to work as 
adverised, on my machine at least (Debian Linux 2.2, Zope 2.4.1 (source release) 
python 2.1.0, linux2). Tell me if it works on your installation.


Boring.py

__doc__ = ""
__version__ = '0.1'
import Globals
from Globals import HTMLFile  # fakes a method from a DTML file
from Globals import MessageDialog # provid
from Globals import Persistent# makes an object stick in the ZODB
import OFS.SimpleItem
import Acquisition
import AccessControl.Role
from AccessControl import ClassSecurityInfo

READ_PERM = 'View Stuff'
WRITE_PERM = 'Change Stuff'
security = ClassSecurityInfo()

manage_addBoringForm = HTMLFile('boringAdd', globals())
def manage_addBoring(self, id, title='', REQUEST=None):
"""Add a Boring to a folder."""
self._setObject(id, Boring(id, title))
if REQUEST is not None:
return self.manage_main(self, REQUEST)

class Boring(
OFS.SimpleItem.Item,   # A simple Principia object. Not Folderish.
Persistent,# Make us persistent. Yaah!
Acquisition.Implicit,  # Uh, whatever.
AccessControl.Role.RoleManager # Security manager.
):
"""Boring object. """
meta_type = 'Boring' # what do people think they're adding?
manage_options = ( # what management options are there?
{'label': 'Edit',   'action': 'manage_main'},
{'label': 'View',   'action': ''}, # defaults to index_html
{'label': 'Security',   'action': 'manage_access'},
)

# NOTE: commented out following as it seem to conflict with 
#  'security.declareP...()' declarations later on
#__ac_permissions__=( # what permissions make sense for us?
#   ('View management screens', ('manage_tabs','manage_main')),
#   ('Change permissions',  ('manage_access',)   ),
#   ('Change Borings' , ('manage_edit',) ),
#   ('View Borings',('',)),
#   )

def __init__(self, id, title=''):
"""initialise a new instance of Boring"""
self.id = id
self.title = title

#   SECURITY -   
# here I played with '#'s, then simply tried to access 'index_html'
# after each security declaration,
# as user 'Anonymous', and noted the results on same line. 
# 'NOT-WORKING' simply means not working as advertised (allowed access when 
# it shouldn't, and vice-versa). As you can see, there are too many 
# 'NOT-WORKING' results. Do you come to similar results?
# My conclusion is that security declarations have no effect whatsoever,
# whether I declare something, then its oposite, I end up with the same
# result. This shouldn't be.

security.setPermissionDefault(READ_PERM,
['Stuff Manager','Manager'])
security.setDefaultAccess('deny')   #   <== NOT-WORKING

#   security.declarePrivate('index_html')   #   <== NOT-WORKING
#   security.declarePublic('index_html')#   <== OK
#   security.declareProtected(READ_PERM, 'index_html') #  <== NOT-WORKING

index_html = HTMLFile('index', globals())

security.declarePublic('manage_main')   #   <== NOT-WORKING
manage_main = HTMLFile('boringEdit', globals())

def manage_edit(self, title, REQUEST=None):
" "
self.title = title
if REQUEST is not None:
return MessageDialog(
title = 'Edited',
message = "Properties for %s changed." % self.id,
action = './manage_main',
)

Globals.InitializeClass(Boring)



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Danny William Adair]

> This doesn't work, because the user it not known in root where the
> index_html is,
> the user is known in the folder view.


Sorry.
I think I read your first email a little too fast.

This behavior is normal, and meant to strengthen Zope security.
You are not calling the Image object, index_html is. The user folder will not 
authenticate "above". You are calling index_html which is "above". 
That's why calling the Image object directly works fine.

If the other way would be possible, you could switch the authenticating 
user_folders and thus sneak into something you weren't allowed to access:







This means showing the bouncer your public library card, instead of (at 
least) your driver's license. Of course it says that you're 21...

By the way, this has nothing to do with the URL. Calling /foo/bar/index_html, 
(hoping for acquisition leaving you with the client object "bar"), will bring 
the same result.  will _find_ the Image object, but 
index_html (which is still above) will need to show proper permissions.

So you cannot do it this way. Not even unrestrictedTraverse would help you. 
Not even a proxy role, since you would have the same problem with the method 
that holds the proxy role. Where would you put it?

If I understand you right, you want the user to authenticate when trying to 
access index_html, because that's where the protected image will be shown. 
(Or was the question not of practical relevance?)

You either have to move index_html down to where acl_users lies, or the other 
way around.

If you want one universal "view image" page, which only asks for 
authentication if needed for the image it is supposed to show (and doesn't 
for public images), then call "foo/bar/Image/show" with "show" being a method 
on the same level as your current index_html. Another way would be 
redirection.

The third and by far the easiest solution is to use



in index_html, because then the Image object will be requested directly and 
authenticates itself (on the right level).

I was rebuilding your sample structure, and found something quite annoying, 
that might have to go into the Collecor:

"Access contents information" looks like it is not sufficient to access image 
objects or their properties.

 will need the "View" permission, which is 
not how this thing works with other object types. As soon as you _access_ an 
image object Zope behaves as if you were trying to render it, but you're not 
(yet).

You might have found a Zope bug here...

Hope this helps,
Danny

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Dieter Maurer]

Andre Schubert writes:
 > > Andre Schubert writes:
 > >  > Have i missunderstand restrictedTraverse, which says that a object will
 > >  > be accessed by traversing
 > >  > a path and checking permissions for each object.
 > > No, you did not.
 > > That's how "restrictedTraverse" should work
 > Oh, does that mean that i was on the right way?
 > Is there another solution to perform this?
Try "restrictedTraverse".

Almost surely, it will need "Access contents information" which
you might grant to "Anonymous"(?).


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Andre Schubert]

Danny William Adair schrieb:
> 
> On Saturday 24 November 2001 01:40, Andre Schubert wrote:
> > root/
> >   index_html
> >   foo/
> > acl_users/
> > bar/
> >   Image
> >
> > I have a image which could only be view by users with a role named
> > foobar, these users are in acl_users.
> > If i access the image through the web a must authenticate myself for the
> > first time, after that everything works well.
> > But if i want to access the Image via  from the
> > index_html in the root-folder a got no access.
> > After searching at Zope.org i tested with  > "restrictedTraverse('foo/bar/Image')"> but this doesnt works.
> > How do i authenticate myself in foo if i access the folder via dtml.
> 
> In your "Image" object, give the "Access Contents Information" to the role
> "Anonymous" (or whoever usually views index_html), but keep "View" forbidden
> for Anonymous (allowed only for "foobar" role owners).
So it is.
> 
> This way, the var tag (which could have been called by Anonymous) will be
> able to "see" the object, and Zope will authenticate automatically, if this
> is necessary in order to view it.
This doesn't work, because the user it not known in root where the
index_html is,
the user is known in the folder view.

> 
> For security reasons, your Image object will not even be "found", if the
> caller's role does not have the "Access Contents Information" permission. I
> find this a good idea and reason.
> 
> There is no difference whether you climb to "Image" using restrictedTraverse,
> the "with" tag, or directly. All these will have identical results.
> 
> If you want to avoid the separate permission settings (because you have a lot
> of Image objects you want to behave like that), either give "index_html" a
> proxy role that has the "Access Contents Information" permission on "Image"
> (or the whole "bar" folder), or use unrestrictedTraverse in index_html.
> 
> hth,
> Danny

as

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Danny William Adair]

On Saturday 24 November 2001 01:40, Andre Schubert wrote:
> root/
>   index_html
>   foo/
> acl_users/
> bar/
>   Image
>
> I have a image which could only be view by users with a role named
> foobar, these users are in acl_users.
> If i access the image through the web a must authenticate myself for the
> first time, after that everything works well.
> But if i want to access the Image via  from the
> index_html in the root-folder a got no access.
> After searching at Zope.org i tested with  "restrictedTraverse('foo/bar/Image')"> but this doesnt works.
> How do i authenticate myself in foo if i access the folder via dtml.

In your "Image" object, give the "Access Contents Information" to the role 
"Anonymous" (or whoever usually views index_html), but keep "View" forbidden 
for Anonymous (allowed only for "foobar" role owners).

This way, the var tag (which could have been called by Anonymous) will be 
able to "see" the object, and Zope will authenticate automatically, if this 
is necessary in order to view it.

For security reasons, your Image object will not even be "found", if the 
caller's role does not have the "Access Contents Information" permission. I 
find this a good idea and reason.

There is no difference whether you climb to "Image" using restrictedTraverse, 
the "with" tag, or directly. All these will have identical results.

If you want to avoid the separate permission settings (because you have a lot 
of Image objects you want to behave like that), either give "index_html" a 
proxy role that has the "Access Contents Information" permission on "Image" 
(or the whole "bar" folder), or use unrestrictedTraverse in index_html.

hth,
Danny

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Andre Schubert]

Dieter Maurer schrieb:
> 
> Andre Schubert writes:
>  > Have i missunderstand restrictedTraverse, which says that a object will
>  > be accessed by traversing
>  > a path and checking permissions for each object.
> No, you did not.
> That's how "restrictedTraverse" should work
Oh, does that mean that i was on the right way?
Is there another solution to perform this?

> 
> Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Dieter Maurer]

Andre Schubert writes:
 > Have i missunderstand restrictedTraverse, which says that a object will
 > be accessed by traversing
 > a path and checking permissions for each object.
No, you did not.
That's how "restrictedTraverse" should work


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Question

[Andre Schubert]

Dieter Maurer schrieb:
> 
> Andre Schubert writes:
>  > i have a little security problem.
>  > let me explain.
>  >
>  > root/
>  >   index_html
>  >   foo/
>  > acl_users/
>  > bar/
>  >   Image
>  >
>  > I have a image which could only be view by users with a role named
>  > foobar, these users are in acl_users.
>  > If i access the image through the web a must authenticate myself for the
>  > first time, after that everything works well.
>  > But if i want to access the Image via  from the
>  > index_html in the root-folder a got no access.
> I expect, you get hit by a (in my view stupid) security feature:
> 
>   When you are not authorized to access an object, then you
>   should not even see that it is there.
> 
> This is achieved by turning "Unauthorized" exceptions into
> "KeyError" exceptions under some circumstances.
> 
> The effect is similar to what you describe (at least, if I
> interpret "got no access" as a "NameError" or "KeyError" for
> "Image").
> 
> If, however, you keep getting "Unauthorized" exceptions
> (i.e. login requests), then the reason may be that your
> initial request did not get authenticated by "foo/acl_users"
> but by a higher level "acl_users" that does not assign
> the correct role to the user.
> 
This is exactly what i want. I want a user wich has to login with
foo/acl_users.
And this user should be allowed to view the Image trough dtml.
Have i missunderstand restrictedTraverse, which says that a object will
be accessed by traversing
a path and checking permissions for each object.

as

> Dieter
> 
> ___
> Zope-Dev maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security

[Magnus Heino]

Hi.

Looking at Amos ZPublisher howto,
http://www.zope.org/Members/Amos/ZPublisher

Would it be possible to use the security machinery too?

/Magnus


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] security question

[Shane Hathaway]

Tim McLaughlin wrote:
> root has a role called 'User' with 'View' permissions (anonymous is
> disabled) and acl_users has a user called joe.  joe can access objects in
> folder2 according to the permissions set on the root by using acquisition
> like this:
> http://server/folder1/folder2/object1
> joe cannot however, access them directly:
> http://server/folder2/object1
> 
> Does this seem strange to anybody else, or have I just been working too
> long?

What version of Zope?  What OS?  Are you using a user folder other than
the "stock" acl_users?

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] security question

[Tim McLaughlin]

It seems to me that a User should not get to keep their roles in the
acquired objects which are above the User Folder in which the user is
defined... However, that does not seem to be true according my testing.

This is what happens.  Imagine a tree like this
root-folder1-acl_users
\folder2-object1


root has a role called 'User' with 'View' permissions (anonymous is
disabled) and acl_users has a user called joe.  joe can access objects in
folder2 according to the permissions set on the root by using acquisition
like this:
http://server/folder1/folder2/object1
joe cannot however, access them directly:
http://server/folder2/object1

Does this seem strange to anybody else, or have I just been working too
long?
_
Tim McLaughlin
iterationZERO - www.iterationzero.com
703-481-2233


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] SECURITY alert and hotfix release

[Chris McDonough]

Hello All,

  Dieter Maurer uncovered a potential security issue yesterday that
  necessitated a hotfix release.

  This hotfix addresses an important security issue that affects Zope
  versions up to and including Zope 2.3.2.

  The issue is related to ZClasses in that any user can visit a ZClass
  declaration and change the ZClass permission mappings for methods
  and other objects defined within the ZClass, possibly allowing
  for unauthorized access within the Zope instance.

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.3.2 have this hotfix product installed
  to mitigate this issue.

- http://www.zope.org/Products/Zope/Hotfix_2001-05-01/README.txt

-
http://www.zope.org/Products/Zope/Hotfix_2001-05-01/Hotfix_2001-05-01.tgz


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Management

[Chris Withers]

Andre Schubert wrote:
> 
> But is there a way to find out that the current REQUEST comes from joe
> and joe has no user object in the root acl_users.

If you're doing this because you're worried that Joe won't later be able to view
the protected document, don't worry, Zope will handle that for you ;-)

cheers,

Chris


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Management

[Dieter Maurer]

Andre Schubert writes:
 > ... direct access to authentication credentials ...
You cannot ask Zope about the user identity because
it does not visit the authenticating user folder
in the described case.

If you use basic authentication (the Zope default), then
you can read "REQUEST._auth" to get the AUTHENTICATION
header content which in turn tells you the user (after
base64 decoding). The leading "_" tells you that there
is no way to access it from DTML or Python Script.
You will need an external method.

If you use cookie authentication, you can look at the cookie.
It may show the username in a readable form.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Management

[Andre Schubert]

Hi all,

I have a question on the security system of zope.

First i have a folder called foo in the root with acl_users and a doc
called foo_doc:

root/
bar_doc
foo/
acl_users/
joe
foo_doc

If Anonymous users could'nt view the foo_doc. This means only logged in
users like joe could wie the foo_doc.
Now my question is: When joe is logged in in foo to view the foo_doc,
and after that he view bar_doc he is authenticated as Anonymous in the
bar_doc REQUEST (right??).
But is there a way to find out that the current REQUEST comes from joe
and joe has no user object in the root acl_users.
I played with getSecurityManager, but it doesn't work
Can anybody help please

as


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] SECURITY ALERT and Zope hotfix release [2001-03-08]

[Brian Lloyd]

Hello all -

  An issue has come to our attention (thanks to Randy Kern) that
  necessitates a Zope hotfix. Hotfix products can be installed to
  incorporate modifications to Zope at runtime without requiring
  an immediate installation upgrade. Hotfix products are installed
  just as you would install any other Zope product.

  This hotfix (Hotfix_2001-03-08)addresses an important security issue
  that affects Zope version 2.3.0 and the current 2.3.1 beta 1 release.

  The issue involves an error in the 'aq_inContextOf' method of objects
  that support acquisition. A recent change to the access validation
  machinery made this bug begin to affect security restrictions. The bug,
  with the change to validation, made it possible to access Zope objects
  via acquisition that a user would not otherwise have access to. This
  issue could allow users with enough internal knowledge of Zope to
  perform actions higher in the object hierarchy than they should be able
  to.

  We *highly* recommend that any Zope site running Zope 2.3.0 final or any
  alpha or beta version of 2.3.0 or 2.3.1 beta 1 have this hotfix product
  installed to mitigate the issue. Zope 2.3.1 beta 2 will contain a fix for
  the issue, at which time the hotfix can be removed. Zope versions prior
  to 2.3.0 are not affected by this issue.

  - http://www.zope.org/Products/Zope/Hotfix_2001-03-08/README.txt

  -
http://www.zope.org/Products/Zope/Hotfix_2001-03-08/Hotfix_2001-03-08.tgz


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] SECURITY alert and hotfix release...

[Brian Lloyd]

Hello All,

  Casey Duncan uncovered a potential security issue today that
  necessitated a hotfix release.

  This hotfix addresses an important security issue that affects Zope
  versions up to and including Zope 2.3.1 b1.

  The issue is related to ZClasses in that a user with through-the-web
  scripting capabilities on a Zope site can view and assign class attributes
  to ZClasses, possibly allowing them to make inappropriate changes to
ZClass
  instances.

  This patch also fixes problems in the ObjectManager, PropertyManager, and
  PropertySheet classes related to mutability of method return values which
  could be perceived as a security problem.

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.3.1 b1 have this hotfix product installed
  to mitigate these issues if the site is accessible by untrusted users
  who have through-the-web scripting privileges.

- http://www.zope.org/Products/Zope/Hotfix_2001-02-23/README.txt

-
http://www.zope.org/Products/Zope/Hotfix_2001-02-23/Hotfix_2001-02-23.tgz



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security hole in CookieCrumbler

[Shane Hathaway]

Hi folks,

It turns out that the released versions of the CookieCrumbler product have
a terrible security hole.  I recommend you uninstall it immediately.

I'm not going to be able to deal with the problem fully today, but if
you're interested in getting a solution right away you can grab today's
PTK from CVS which contains a version of CookieCrumbler without the hole.

Thanks to Phil Harris for finding the problem.

Shane


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security _does_ work, it's just confusing :-)

[Chris Withers]

Answering my own post ;-)
Security does work, and was being applied, it's just still very much
along 'allow by default'.

Chris Withers wrote:

> This class has no __roles__, no __ac_permissions__, no nothing...
> Instances of this class are stored within a special folderish class, Y.

Now the key here was the no __ac_permissions__ thing. Basically, this
meant that default__class_init__ didn't add any roles as it usually
does...

> I thought Zope's security policy had changed to be disallow by default,
> but that really doesn't seem to be the case here :-S

It isn't, if you don't define __ac_permissions__ in any class, Acquiring
or not, you're wide open :-(

The patch is pretty simple:
===
RCS file: /cvs-repository/Zope2/lib/python/App/class_init.py,v
retrieving revision 1.5
diff -r1.5 class_init.py
125a126,131
> 
> for name, v in dict.items():
> if not (hasattr(self,'__roles__') or have(name+'__roles__'):
> try: v.__roles__ = []
> except dict[name+'__roles__'] = []
> 

...which is quite harsh and simplistic. It's not tested and may have
implications for things like self._properties and the like. But it's
better to have access denied and fix that than not know what's hanging
out, right?

Also, having looked at class_init.py, it appears that if you leave
methods out of __ac_permissions__, they're currently also completely
open, which might be bad :-S (although I think the above patch takes
care of that...)

I guess the 'disallow by default' should really be implemented at the
_checking_ stage, which currently says if you don't have a __roles__
attribute, anyone can do anything, but I understand there were other
implications there. What were they? When will the move to
disallow-by-default take place?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Machinery doesn't work on some objects?

[Chris Withers]

Hi there,

I'm slightly confused by a class I have:

class X(Persistent, Acquisition.Explicit):

This class has no __roles__, no __ac_permissions__, no nothing...
Instances of this class are stored within a special folderish class, Y.

This folderish class has a __bobo_traverse__ which returns X objects,
wrapped in context, from it's self._xs BTree using something along the
lines of:

def __bobo_traverse__(self, REQUEST, name):
ob = getattr(self, name, _marker)
if ob == _marker:
ob = 
return self._xs[name].__of__(self)

Now, it appears no methods or other attributes of this class are
protected by the security machinery, even though the instances involved
are wrapped. The DocString stuff still applies but, once a method has a
docstring, any anonymous user who can traverse to one of these objects,
can execute any method (attributes whinge about a missing docstring, how
bizarre, attepting to traverse to __init__ complains the method starts
with a _ ;-) of that instance which is more than a little disturbing ;-)

I thought Zope's security policy had changed to be disallow by default,
but that really doesn't seem to be the case here :-S
What am I missing out on? Is there some mixin class I need or something
I need to acquire to make the security machinery check these objects?

confusedly and worriedly,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Permissions

[Andre Schubert]

Hi,

i have found the Security Permission below in the Zope Root that are not
definded by myself.

A
D
G
Z
a
d
h
r
s
t

Who can tell me where these Permissions come from?

as


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security/Acquisition Bug? (take two)

[Charlie Wilkinson]

I should have included this in my previous reply - this is the Zope
error I am getting after failing out of BASICAUTH login:

--
Zope Error

Zope has encountered an error while publishing this resource. 

Unauthorized

You are not authorized to access this resource.

No Authorization header found. 

Traceback (innermost last):
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 222, in publish_module
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 187, in publish
  File /share4/Zope2/lib/python/ZPublisher/Publish.py, line 162, in publish
  File /share4/Zope2/lib/python/ZPublisher/BaseRequest.py, line 463, in traverse
  File /share4/Zope2/lib/python/ZPublisher/HTTPResponse.py, line 569, in unauthorized
Unauthorized: (see above)
--

Does that provide any (additional) clues?

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
Al Gore: Please, just concede.  I can't handle another four years of
whiney Republican bumper stickers!

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security/Acquisition Bug? (take two)

[Charlie Wilkinson]

On Sun, Nov 12, 2000 at 11:42:32PM +0100, Dieter Maurer waxed eloquent:
> 
> I tried it on my ZopeCVS installation.
> The Python parts are quite new. The C-part is about 2 weeks old.
> 
> I can not observe what you describe.
> "/index_html" can be viewed as "Annonymous" without any
> change in permissions.

Hi Dieter,
Thanks for investigating.  I also gave it another try, with the same
results as my previous attempts.  Maybe I'm doing something dumb?
I have followed exactly these steps (as a regular user):

1. mkdir Zope2

2. cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository checkout Zope2

3. cd Zope2

4. python wo_pcgi.py

5. python zpasswd.py -u XX -p XX access

6. Edit start file (for port change and stupid log):

#! /bin/sh
reldir=`dirname $0`
PYTHONHOME=`cd $reldir; pwd`
export PYTHONHOME
exec /usr/bin/python \
 $PYTHONHOME/z2.py -P 9000 \
 -D "$@" STUPID_LOG_FILE=$PYTHONHOME/zope.log

7. ./start &

8. Visit http://www.boinklabs.com:9080/index_html

8. Get BASICAUTH login box...  ??

Box is Redhat 6.0 with updates, Python 1.5.2 from source.  CVS is v1.10.5.
The only bit I left out was setting up the CVS login on a prior occasion:

cvs -d :pserver:[EMAIL PROTECTED]:/cvs-repository login

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
Al Gore: Please, just concede.  I can't handle another four years of
whiney Republican bumper stickers!

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security/Acquisition Bug? (take two)

[Charlie Wilkinson]

I had posted about this previously, but no one has tackled this one,
it seems to be a pretty serious issue, plus I've done a *lot* of poking
around and learned a few things since I first reported it.  What I have
*not* found (or been told) is that the below described behavior is normal.

First a simple exercise for those who would like to avoid my laborious
novice Zoper description and just ferret out the likely bug:

Create a fresh CVS copy of Zope on your *nix box.  Build it (python
wo_pcgi.py), configure 'start' with the ports of your choosing, set a
superuser password, start Zope and try to visit the /index_html page.

What I'm getting at that point is a BASICAUTH login box.  One has to
explicitly enable anonymous permissions on the index_html page in order
to view it without logging in.  I've read through all the security
model discussion I could find, but saw no discussion of this issue.
If somehow this behavior is intentional, I would greatly appreciate a clue
to that effect.  (Some response either way would be nice, actually...)

Based on my recent flailings with LoginManager and finally, stock
acl_users in Zope v2.2.cvs, it seems there this problem relates to the
"scope" of acl_users and/or its parent folder not including the objects
within.  The security settings of the parent folder are apparently not
regarded in determining access to objects within.  Instead, acl_users is
only impacting its sibling objects (and presumably their child objects).

Apologies if I'm making the wrong noises in the wrong place in the
wrong way.  Any help or pointers welcome.

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security and Acquisition?!

[Chris Withers]

Toby Dickenson wrote:

> Zope security is context based: Users can be defined in a subfolder and only
> have access under that folder, they can also be given local roles for a
> given folder. The role:permission mapping is set per-folder. Any security
> aware object needs to know its context.

Yeah, I think I get it now *grumble* *grumble* ;-)

> > That said, I think Shane said that Zope security is
> > predicated a lot on
> > Acquisition. Now, can I get the solution I'm looking for by mixing in
> > Aquisition.Explicit, still have the security stuff work and
> > not have the
> > DisplayClass acquiring attributes I don't want it do?
> 
> Yes, you will need to set Acquisition.Acquired for the necessary attributes.

Anyone know what those attributes are?

Maybe someone could knock up a new class in Acquisiton:

Acquisition.SecurityAcquire which does this but is like
Acquisition.Explicit for everything else?

> 
> Wanting to make an object non-acquiring may be a danger-sign of some other
> problems. If the correctness of your program depends on the absence of
> certain attributes (acquired or otherwise) then you need to take extra care
> over PropertyManager-like features, which might allow a user to add the
> critical attribute.

Yeah, I know :-S

But these are very specific classes that exist for no longer than the
duration of serving a single page request, and it'd just be nice to know
that they're not going to acquire and fluff they shouldn't...

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security requires Acquisition?!

[Chris Withers]

Toby Dickenson and Brian Lloyd wrote:

> >> list.append(DisplayClass(name,self))
> 
>list.append(DisplayClass(name,self).__of__(self))
> 

> >
> >> class DisplayClass(Globals.Persistent):
> 
>class DisplayClass(Globals.Persistent, Acquisition.Implicit):

Okay, this did the trick, but I'm not very happy with the result :-(

I don't want the DisplayClass to be acquiring and I don't really see
(from a moral standpoint ;-) why I should need to mix in an Acquisiton
class to make security work :-S

That said, I think Shane said that Zope security is predicated a lot on
Acquisition. Now, can I get the solution I'm looking for by mixing in
Aquisition.Explicit, still have the security stuff work and not have the
DisplayClass acquiring attributes I don't want it do?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Confusion :-S

[Toby Dickenson]

On Mon, 23 Oct 2000 15:59:24 +0100, Chris Withers <[EMAIL PROTECTED]>
wrote:

(untested hints to follow)


>> class MyProduct(OFS.SimpleItem.SimpleItem): 
>> """...
>> """
>> 
>> __ac_permissions__=(
>>  ('Use MyProduct' ,('a_method',),('Manager',)),
>>  )
>> 
>> a_methodisDocTemp=1
>> 
>> def a_method(self,ignored,md):
>> list = []
>> for name in self.get_contents():
>> list.append(DisplayClass(name,self))

   list.append(DisplayClass(name,self).__of__(self))

>> 
>> return list 
>
>The important bits of DisplayClass look like:
>
>> class DisplayClass(Globals.Persistent):

   class DisplayClass(Globals.Persistent, Acquisition.Implicit):


>> """ """
>> 
>> __allow_access_to_unprotected_subobjects__=1
>> 
>> meta_type = 'CaseDisplay'
>> 
>> __ac_permissions__=(
>>  ('View',('get_name',),('Anonymous',)),
>>  )
>


Toby Dickenson
[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Confusion :-S

[Chris Withers]

If anyone can help me with this, it'd give me more faith in the new
security model :-S

Right, I have a Python Product Class (lots of bits left out ;-):

> class MyProduct(OFS.SimpleItem.SimpleItem): 
> """...
> """
> 
> __ac_permissions__=(
>   ('Use MyProduct' ,('a_method',),('Manager',)),
>   )
> 
> a_methodisDocTemp=1
> 
> def a_method(self,ignored,md):
> list = []
> for name in self.get_contents():
> list.append(DisplayClass(name,self))
> 
> return list 

The important bits of DisplayClass look like:

> class DisplayClass(Globals.Persistent):
> """ """
> 
> __allow_access_to_unprotected_subobjects__=1
> 
> meta_type = 'CaseDisplay'
> 
> __ac_permissions__=(
>   ('View',('get_name',),('Anonymous',)),
>   )

...

> def get_name(self):
> return self._name

Now, I have a DTML method which goes like:

> 
>  
>   :
>   
>  
> 

Which _always_ throws up an authentication box when a_method returns
anything except an empty list. no matter what username or password I
use, that box still appears.

What I would like is for the get_name and a_method methods to be mapped
to permissions so I can manage access to them using the security tab.
How should I do that?

BTW, in an attempt to get the method accessible in _some_ way I have
tried:
- setting __allow_access_to_unprotected_subobjects__=1 in both the
MyProduct and DisplayClass classes.
- setting get_name__roles__=None in the DisplayClass.
- giving every conceivable permission to both the Anonymous and Manager
roles in the folder containing the MyProduct instance

None of which feel like a good way to go, but nevertheless, none of them
worked.
The only way I coudl solve the problem was to give the DTML Method the
'Manager' proxy role, then everything worked fine.
Why is that?
What's _is_ going on?

Confused and Frustrated (isn't that always the way with Zope security?!)

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] security document comments

[R. David Murray]

Well, I just tried to post several paragraphs to the security interface
wiki, and netscape reported a proxy problem.  It then ate my posting
instead of giving it back to me when I pressed back.  So I'm going
to try to recreate what I wrote here and hope someone will post it
for me or something.  (If only w3m supported cookies...)

1) "in an anonymous context" made me think first of anonymous users.
I'm really not sure it's a very evocative phrase.  It's really
about manipulating a reference to the object instance itself rather than
calling one of its methods.

2) The doc is great, but I also like 'command reference' type things
where you get the complete syntax and semantics for each method.
If I can only have one doc, I'll take this one, but I can wish
for both .

3) Although I've written and worked with python Products (and with
python itself for longer), I really don't know what "subobjects
where the subobject supports the setting of arbitrary attributes"
are.  How about an example of one of those?

4) Having read this doc, I now understand how the current security model
works much better.  I think that indicates that this interface is
definately a move in the right direction in terms of making the
whole thing more understandable and usable.

--RDM


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Stuff :P (part 3) : the tracebacks

[Chris Withers]

Well, what do you know? I leave it for a couple fo hours to set up a
laptop, come back and try again.
It's not hanging anymore, but I'm still getting the errors when I click
cancel:

Chris Withers wrote:
> Posting's objects have a text attribute called 'subject'
> 
> Unless you have __allow_access_to_unprotected_subobjects__=1, you get
> the following error after you hit cancel on the authentication dialog
> box that pops up:

Traceback (innermost last):
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\mapply.py, line 160, in
mapply
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 112, in
call_object
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 167, in
__call__
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 163, in
__call__
(Object: site_header)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: site_header)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_In.py, line
691, in renderwob
(Object: site_item_list)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_Util.py, line
331, in eval
(Object: subject_image(subject))
(Info: subject)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 189, in
validate
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\AccessControl\SecurityManager.py,
line 139, in validate
  File
E:\Zope\227194~1.0\lib\python\AccessControl\ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: subject

> icon is defined in
> Squishfile as follows:
> 
> icon='misc_/Squishdot/squishfile_img'
> 
> ...and is protected by the 'View' permission, but you still get the following error:

Traceback (innermost last):
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File E:\Zope\227194~1.0\lib\python\ZPublisher\mapply.py, line 160, in
mapply
(Object: index_html)
  File E:\Zope\227194~1.0\lib\python\ZPublisher\Publish.py, line 112, in
call_object
(Object: index_html)
  File E:\Zope\2.2.0\lib\python\Products\Squishdot\Squishdot.py, line
1388, in index_html
(Object: RoleManager)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 167, in
__call__
(Object: posting_html)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: posting_html)
  File E:\Zope\227194~1.0\lib\python\DocumentTemplate\DT_In.py, line
691, in renderwob
(Object: attachment)
  File E:\Zope\227194~1.0\lib\python\OFS\DTMLMethod.py, line 189, in
validate
(Object: posting_html)
  File E:\Zope\227194~1.0\lib\python\AccessControl\SecurityManager.py,
line 139, in validate
  File
E:\Zope\227194~1.0\lib\python\AccessControl\ZopeSecurityPolicy.py, line
159, in validate
Unauthorized: icon

Any ideas?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security Strangeness

[Chris Withers]

Johan Carlsson wrote:
> First, you can't delegate the permissionto add and delete user except
> by assigning the user the role "manager".
> IMHO this is to limiting.

> Second, if you give a user the permission to Change Persmissions, that
> user can change permissions that she doesn't have the right to manage
> in the first place. In that way she can upgrade here permissions.
> That's no good.

This is a little inflexible isn't it?

Chuck it in the collector I guess... :S

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security Strangeness

[Johan Carlsson]

Hi all,
I notised some strange behavior in the way Zope User Folders works.

First, you can't delegate the permissionto add and delete user except 
by assigning the user the role "manager".
IMHO this is to limiting.

Second, if you give a user the permission to Change Persmissions, that
user can change permissions that she doesn't have the right to manage
in the first place. In that way she can upgrade here permissions. 
That's no good.

Best Regards,
Johan Carlsson

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Security model idea from LoginManager: roles in a class-like hierarchy

[Lalo Martins]

I think perhaps roles should take part in a class-like
hierarchy. It would be useful to be able to say that, for
example, "Author" is a subrole of "User", so that if I give
"Author" for an user it automagically gets the permissions for
"User". In my zope-coding experience this is a very realistic
scenario for mass-community sites.

>From the point of view of UI, this would mean each role would
have to get a "homepage" in the folder it is defined, where you
can control its set of "superroles". That shouldn't be too hard.

I'll flesh out the proposal and post it to the appropriated
wiki... but first I'd like to collect opinions from the list.

(Of course, by its own nature, this feature is optional and
backwards-compatible... if you don't want to give superroles to
your roles, just don't.)

[]s,
   |alo
   +
--
  Hack and Roll  ( http://www.hackandroll.org )
News for, uh, whatever it is that we are.


http://zope.gf.com.br/lalo   mailto:[EMAIL PROTECTED]
 pgp key: http://zope.gf.com.br/lalo/pessoal/pgp

Brazil of Darkness (RPG)--- http://zope.gf.com.br/BroDar

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Security is Hard (was Import from upload?)

[Phillip J. Eby]

At 12:05 PM 6/5/00 -0400, Evan Simpson wrote:
>
>Security is hard :-/
>

No kidding.  And just think, all the hard stuff that's been done to avoid
trojans in a portal-ish site can be defeated simply by a user making a page
that looks like the portal's login screen and asking the user to "verify"
their password before accessing the "secure content" at that location...


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )