Re: [Zope-dev] Possible security problem with DTML
On Fri, 2003-03-21 at 20:08, kosh wrote: I am having a problem where DTML is allowing access to an attribute of an object that restrictedTraverse and regular . notation denies from a python script. This is pretty serious. You should post this as a bug in the collector. Cheers, Leo -- Ideas don't stay in some minds very long because they don't like solitary confinement. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Possible security problem with DTML
On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote: On Fri, 2003-03-21 at 20:08, kosh wrote: I am having a problem where DTML is allowing access to an attribute of an object that restrictedTraverse and regular . notation denies from a python script. This is pretty serious. You should post this as a bug in the collector. Cheers, Leo Yeah I will report this to the collector I just wanted to see if anyone else had seen this or thought it was a bug or some really weird thing that is supposed to happen but not documented. It would not be the first time that zope had some really strange stuff in it. ;) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Possible security problem with DTML
On 03/24/2003 12:28 PM, kosh wrote: On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote: On Fri, 2003-03-21 at 20:08, kosh wrote: I am having a problem where DTML is allowing access to an attribute of an object that restrictedTraverse and regular . notation denies from a python script. This is pretty serious. You should post this as a bug in the collector. Cheers, Leo Yeah I will report this to the collector I just wanted to see if anyone else had seen this or thought it was a bug or some really weird thing that is supposed to happen but not documented. It would not be the first time that zope had some really strange stuff in it. ;) Are you talking about a DTMLFile in a Python product? DTMLFiles do not check security (nor do they normally need to, since they are trusted). Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Possible security problem with DTML
I am having a problem where DTML is allowing access to an attribute of an
object that restrictedTraverse and regular . notation denies from a python
script.
I have a python product and I have the securit.setDefaultAccess('deny') so
that items inside there without security declarations can't be called and
this works for url traversal, restrictedTraverse and getting to the object
via python scripts in that access is denied but dtml can get right in which
is a problem.
Lets say I have container foo with object bar in an and inside bar an object
which should not be allowed accessed.
dtml-var foo.bar.shouldnotwork gives the value of shouldnotwork
however
dtml-var restrictedTraverse('foo/bar/shouldnotwork')' gives access denied
and from a python script
return context.foo.bar.shouldnotwork gives an access denied also which is what
I expect.
For a ZPT object I get the same result of access being denied for
span tal:replace=here/foo/bar/shouldnotwork/span
Thus I suspect the problem is with DTML somewhere but I am not sure where.
However I could also be doing something wrong in my python product but
currently I can no imagine what would allow that dtml to do it but nothing
else.
The variable shouldnotwork is just a string that is stored in object bar.
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
