Re: [Zope-dev] [zope2] Help needed with security checks and add views
On 27 June 2010 00:24, Hanno Schlichting ha...@hannosch.eu wrote: Hi there, recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326. In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something. I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported require set_schema=.. / and require set_attributes=... / on class directives. But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view (+) has no working security declarations I can see, and only has such a non-functioning permission=zope2.ViewManagementScreens set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views. Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case. Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now. Cheers, Martin ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
On Sat, Jul 10, 2010 at 12:14 PM, Martin Aspeli optilude+li...@gmail.com wrote: Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now. Awesome! You truly rock! Much appreciated, Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
On 10 July 2010 18:16, Hanno Schlichting ha...@hannosch.eu wrote: On Sat, Jul 10, 2010 at 12:14 PM, Martin Aspeli optilude+li...@gmail.com wrote: Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now. Awesome! You truly rock! My powers of copy and paste and sharp, it must be said. :) Martin ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
On Thu, Jul 8, 2010 at 3:02 PM, Martin Aspeli optilude+li...@gmail.com wrote: Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case. Why can't we just copy the relevant code from the browser:page directive? The ViewSecurityGrokker in http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163view=auto may be useful reading too. It should be doing the same thing, no? It seems you have some idea about this code, so are you volunteering to implement this? Since we are dealing with a disclosed real security vulnerability here, I need to have some resolution by next Tuesday. Either that is disabling the functionality or protecting it with some security. Hanno ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
On 9 July 2010 16:12, Hanno Schlichting ha...@hannosch.eu wrote: On Thu, Jul 8, 2010 at 3:02 PM, Martin Aspeli optilude+li...@gmail.com wrote: Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case. Why can't we just copy the relevant code from the browser:page directive? The ViewSecurityGrokker in http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163view=auto may be useful reading too. It should be doing the same thing, no? It seems you have some idea about this code, so are you volunteering to implement this? Possibly. I have client work that has to take priority right now. Since we are dealing with a disclosed real security vulnerability here, I need to have some resolution by next Tuesday. Either that is disabling the functionality or protecting it with some security. I'd appreciate it if someone who's getting more than four hours of sleep a night at the moment takes a stab. I'm happy to review/assist. Martin ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
Hi. As a reminder: If nobody is able to help with this, I'll disable the insecure view registration in Zope2 and release new versions Tuesday 13th. From my understanding of the code, Zope 2 itself is not vulnerable, as there's no registrations for IFactory utilities included. But in any system that has such registrations, anonymous users should be able to create any such content item in any location. Hanno On Sat, Jun 26, 2010 at 6:24 PM, Hanno Schlichting ha...@hannosch.eu wrote: recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326. In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something. I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported require set_schema=.. / and require set_attributes=... / on class directives. But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view (+) has no working security declarations I can see, and only has such a non-functioning permission=zope2.ViewManagementScreens set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views. Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
Hi Hanno, On 27 June 2010 00:24, Hanno Schlichting ha...@hannosch.eu wrote: Hi there, recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326. In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something. I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported require set_schema=.. / and require set_attributes=... / on class directives. But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view (+) has no working security declarations I can see, and only has such a non-functioning permission=zope2.ViewManagementScreens set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views. And Dexterity, I suggest. Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case. Why can't we just copy the relevant code from the browser:page directive? The ViewSecurityGrokker in http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163view=auto may be useful reading too. It should be doing the same thing, no? Martin ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] [zope2] Help needed with security checks and add views
Am 26.06.2010, 18:24 Uhr, schrieb Hanno Schlichting ha...@hannosch.eu: In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something. I'm not sure about this affects only views. I have just checked a Zope 2.10 based site (with CMF) where pages are protected. They work as expected. More recent Zope 2.12 sites do not apply the same protection. For an example try /members_manage_form on a Zope 2.12.4 + CMF 2.1 site. ie. the error may not be in the way declarations are handled but in the exception handling. Charlie -- Charlie Clark Managing Director Clark Consulting Research German Office Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-600-3657 Mobile: +49-178-782-6226 ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )