Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-19 Thread Martijn Pieters 

On Wed, Aug 14, 2002 at 04:25:09PM -0400, Brian Lloyd wrote:
> So here's what we'll do. Zope 2.6 will include the string tainting
> changes, enabled by default. The tainting can be turned off by
> providing an environment variable.
> 
> The next Zope 2.5.x release will contain the tainting code, but it
> will be *disabled* by default. If you are worried about the issues
> it addresses, you will be able to enable it explicitly using an
> environment variable (without having to upgrade to 2.6).

I checked in the changes for 2.5; auto quoating now has to be enabled with
an environment variable. Higly recommended!

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-14 Thread Brian Lloyd 

> >>Like I said before, this is probably a good feature. If it was
> available as a
> >>patch then I would probably use it on a number of my sites, and would
> >>recommend it to others. I would be very happy see it (or
> something like it)
> >>in 2.7.
> >>
> >>But not 2.6.
> >>
> >
>> Then Jim wrote:
>> WRT to this change, now that I'm back from vacation, I want to talk to
Brian
>> about it. ;)

Hear ye, hear ye :^)

Zope 2.6 is a second-dot release, meaning that it is expected that
there will be new features and that it is possible (though we always
try to avoid it) that some things can break in the name of progress.

(See http://dev.zope.org/CVS/ZopeReleasePolicy for more details).

Zope 2.5.x will be a third-dot release, intended to be bug-fix only
(and thus not allowed to break things).

So here's what we'll do. Zope 2.6 will include the string tainting
changes, enabled by default. The tainting can be turned off by
providing an environment variable.

The next Zope 2.5.x release will contain the tainting code, but it
will be *disabled* by default. If you are worried about the issues
it addresses, you will be able to enable it explicitly using an
environment variable (without having to upgrade to 2.6).

2.7 and later releases will behave as 2.6.


Brian Lloyd[EMAIL PROTECTED]
V.P. Engineering   540.361.1716
Zope Corporation   http://www.zope.com




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-12 Thread Jim Fulton 

Jeffrey P Shell wrote:
> On 8/9/02 8:43 AM, "Toby Dickenson" <[EMAIL PROTECTED]>
> wrote:
> 

...

>>Like I said before, this is probably a good feature. If it was available as a
>>patch then I would probably use it on a number of my sites, and would
>>recommend it to others. I would be very happy see it (or something like it)
>>in 2.7.
>>
>>But not 2.6.
>>
> 
> Oh, 2.6 will never happen anyways ;)  (seriously folks - what's the plan?).

The plan is to release 2.6 as soon as we can. We're really busy with a bunch of
customer work and haven't had as much time to work on this as we'd like.

It's likely that 2.7 will come out at around the same time as 2.6. See
http://dev.zope.org/Wikis/DevSite/Projects/SupportPython22/VisionStatement.

WRT to this change, now that I'm back from vacation, I want to talk to Brian
about it. ;)

Jim

-- 
Jim Fulton   mailto:[EMAIL PROTECTED]   Python Powered!
CTO  (888) 344-4332http://www.python.org
Zope Corporation http://www.zope.com   http://www.zope.org


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-12 Thread Martijn Pieters 

On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
> On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
> 
> > Whithout the fix, virtually every Zope site in the world is vulnerable
> > to URL-based cross-site scripting exploits.  For instance, any URL which
> > contains invalid form variable marshalling can generate an error page
> > which includes the erroneous value, unquoted.  E.g.:
> >
> > http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
> >t('Owned')%3C/script%3E>
> 
> Do you plan to fix this bug?
> 
> Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?

Together with the autoquoting changes, I tightened Exception messages; data
from REQUEST is quoted where I could reasonably suspect REQUEST data was
used.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-12 Thread Toby Dickenson 

On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:

> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits.  For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the erroneous value, unquoted.  E.g.:
>
> http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer
>t('Owned')%3C/script%3E>

Do you plan to fix this bug?

Or, with the autoquoting changes, is this to be reclassified as 'not a bug'?



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-09 Thread Toby Dickenson 

On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > The risk for breakage is very small really
> >
> > Your choice of '<' and html_quote suggests that my dtml code which
> > generates javascript and vbscript carries a higher risk than dtml which
> > generates html.
>
> Only if you generated that script using data from the REQUEST, implicitly.

Yes

> Which was bad in the first place.

I agree it is true in most cases, but not all. Have you analysed how many 
applications will be broken by this? how they can detect the breakage? I 
certainly will not have time to assess the implications on my applications 
before the scheduled release of 2.6.

> > >, and breakage
> > > will generally only occur when someone is trying to exploit the
> > > weakness, not in normal operation of the site.
> >
> > The fact that your change uses html_quote to 'fix' the problem rather
> > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > really believe that ;-)
>
> Again, the wide scope of DTML use would make such bells warble prematurely
> all too often.

'all too often' also contradicts your statements that this will not happen in 
normal operation of the site, and that the risk of breakage is 'very small'.


Like I said before, this is probably a good feature. If it was available as a 
patch then I would probably use it on a number of my sites, and would 
recommend it to others. I would be very happy see it (or something like it) 
in 2.7.

But not 2.6.





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-09 Thread Martijn Pieters 

On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > The risk for breakage is very small really
> 
> Your choice of '<' and html_quote suggests that my dtml code which generates 
> javascript and vbscript carries a higher risk than dtml which generates html.

Only if you generated that script using data from the REQUEST, implicitly.
Which was bad in the first place.

> >, and breakage
> > will generally only occur when someone is trying to exploit the weakness,
> > not in normal operation of the site.
> 
> The fact that your change uses html_quote to 'fix' the problem rather than 
> sounding 'hacker alert' alarm bells suggests to me that you dont really 
> believe that ;-)

Again, the wide scope of DTML use would make such bells warble prematurely
all too often. The normal, recommended fix for the general weakness is to
always use HTML quote.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-09 Thread Toby Dickenson 

On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote:
> On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > > I am about to land some big changes in the way DTML deals with data
> > > taken from the REQUEST object when accessed implicitly, in both the
> > > Zope Trunk and the Zope 2.5 branch.
> >
> > In my opinion this change is completely unacceptable at this late stage
> > of
> >
> > the release cycle. As you said:
> > > These changes could potentially break existing Zope sites.
> >
> > The existing behavior might be flawed, but it is a flaw we have all lived
> > with for a long time. In my opinion this needs:
> >
> > 1. To be deferred until the 2.7 cycle.
> >
> > 2. A detailed fishbowl proposal.
>
> Note that the problems fixed are potential security problems. Although we
> cannot fix every site out there for sure, the fixes certainly dramatically
> reduce the risks.

Im not going to argue that this feature is bad - because I dont believe that 
to be true. I suspect the feature is not exactly quite right - but those 
issues can easily be resolved over a full release cycle.

> The risk for breakage is very small really

Your choice of '<' and html_quote suggests that my dtml code which generates 
javascript and vbscript carries a higher risk than dtml which generates html.

>, and breakage
> will generally only occur when someone is trying to exploit the weakness,
> not in normal operation of the site.

The fact that your change uses html_quote to 'fix' the problem rather than 
sounding 'hacker alert' alarm bells suggests to me that you dont really 
believe that ;-)

> I'll leave any decisions on wether or not this stays in the current release
> cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation
> until next week.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-08 Thread Martijn Pieters 

On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > I am about to land some big changes in the way DTML deals with data
> > taken from the REQUEST object when accessed implicitly, in both the Zope
> > Trunk and the Zope 2.5 branch.
> 
> In my opinion this change is completely unacceptable at this late stage of
> the release cycle. As you said:
> 
> > These changes could potentially break existing Zope sites.
> 
> The existing behavior might be flawed, but it is a flaw we have all lived
> with for a long time. In my opinion this needs:
> 
> 1. To be deferred until the 2.7 cycle.
> 
> 2. A detailed fishbowl proposal.

Note that the problems fixed are potential security problems. Although we
cannot fix every site out there for sure, the fixes certainly dramatically
reduce the risks. The risk for breakage is very small really, and breakage
will generally only occur when someone is trying to exploit the weakness,
not in normal operation of the site.

I'll leave any decisions on wether or not this stays in the current release
cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation until
next week.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-03 Thread Florent Guillaume 

The way I see it is this:

ZPT has (amongst others) the very nice property that it's trivial to
audit ZPT pages for non-quoted string output: just grep for 'structure'.

OTOH in DTML there's no way to do that, the default is unquoted output.
&dtml-stuff; is a good step, but there's way too much code out there
that doesn't take proper security precautions and is vulnerable to
cross-site scripting attacks. The fact that namespaces are implicit and
make it possible to get stuff from where we don't expect them doesn't
help.

We should always keep in mind the security debacle that PHP has become,
because it didn't take proper precautions for quoting (reports on
Bugtraq of XSS attacks in some PHP application practically every week).
There's magic_quotes_gpc or magic_quotes_runtime that automatically
quotes their equivalent of REQUEST or even any output from outside
applications, but it's a PITA because it does too much and is often
inconvenient, so a lot of users turn it off or forget to turn it on. And
it's too much magic.


The solution Martijn implemented has a number of nice properties, for
instance protecting those that do , and will only leave
open the applications that really didn't take the most basic security
precautions (unfortunately I'm sure there are some out there, doing
stuff like ">).


So in a code audit all  should be suspect, and
&dtml-.xxx; too.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87  http://nuxeo.com  mailto:[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-02 Thread Martijn Pieters 

On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote:
> Likewise Im trying to digest all that and Im a little suprised. More magic
> in DTML? Not something I'd vote for normally.
> 
> Im a little confused why this is suddenly an issue, yeah so we pull a string
> out of the REQUEST and thanks to DTML stack we may not know where it came
> from. Well thats always been there. And yeah the string may contain nasty
> HTML. Again that's always been there.
> In the past (and I cant find posts to show it) the party line was Zope is an
> application server and its up to the person developing the application to
> worry about it. Thats why ChrisW wrote stripogram and I use it in quite a
> few apps.

Yup. And that is still the case. However, the combination of implict REQUEST
form interpolation and no HTML quoting turns out to especially dangerous,
because of those situations where you *want* no HTML quoting for optional
information that normally should *not* come from the REQUEST.

An example is the Zope help system; there are API help pages that have
optional information, which when present is already HTML. But when not
present in the object hierarchy, but it *is* available in the REQUEST, the
REQUEST data is used instead. The way standard_error_message deals with
exceptions is another such a situation. The DTML author didn't expect the
particular template slot to be filled with REQUEST data, the slot is
optional, and the author has no way of preventing REQUEST data from being
used.

The solution we choose fixes that problem, for all existing DTML as well as
future DTML. Note that ZPT does not have this problem, as it quotes by
default and doesn't use implict namespaces.

> One other question? Why does it matter that the string is implicitly called,
> why dont you taint explicitly called to? It makes me think of Perl where
> taint mode taints anything coming from the user?

Because, as explained above, its the implicit case that is dangerous. In the
explicit case you are supposed to know you are working with unsafe data and
thus the old rules apply. If we explicitly quoted, we hurt everyone that
either did the right thing from the start and/or already knows they are
playing with fire.

> This still doesnt solve the party line and means I would like to suggest
> again (and this time I have the time to work on it) that we add something
> like stripogram or similar to the core, so that is easy for an application
> developer to have access to strip html and other functions from products,
> DTML, Python Scripts etc to easily alter, manage and make HTML safer.

The CMF now includes a basic HTML stripper. In future iterations, Tres
Seaver expects this to evolve into a CMF Tool that is more generaly
configurable and useable.

-- 
Martijn Pieters
| Software Engineer  mailto:[EMAIL PROTECTED]
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
-

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-02 Thread Andy McKay 

Likewise Im trying to digest all that and Im a little suprised. More magic
in DTML? Not something I'd vote for normally.

Im a little confused why this is suddenly an issue, yeah so we pull a string
out of the REQUEST and thanks to DTML stack we may not know where it came
from. Well thats always been there. And yeah the string may contain nasty
HTML. Again that's always been there.
In the past (and I cant find posts to show it) the party line was Zope is an
application server and its up to the person developing the application to
worry about it. Thats why ChrisW wrote stripogram and I use it in quite a
few apps.

One other question? Why does it matter that the string is implicitly called,
why dont you taint explicitly called to? It makes me think of Perl where
taint mode taints anything coming from the user?

This still doesnt solve the party line and means I would like to suggest
again (and this time I have the time to work on it) that we add something
like stripogram or similar to the core, so that is easy for an application
developer to have access to strip html and other functions from products,
DTML, Python Scripts etc to easily alter, manage and make HTML safer.
--
  Andy McKay
  @gmweb Consulting
  http://www.agmweb.ca




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )