subject:"\[Zope\] security"

[Zope] [Security issue] SQL injection in DTML or in connection objects

2020-02-12 Thread Michael Howitz

On behalf of the Plone security team I am announcing this security issue in 
Zope also here:

CVE Identifier: CVE-2020-7939
Type: SQL injection
Severity: 4.9 – MEDIUM
Affected Zope versions:
 * Zope 2 older than 2.13.30 (2.13.30 is not yet released)
 * Zope 4 older than 4.2

For details see 
https://plone.org/security/hotfix/20200121/sql-injection-in-dtml-or-in-connection-objects

To fix the issue use the Hotfix provided at 
https://plone.org/security/hotfix/20200121 (version 1.1 or newer)
or upgrade to Zope 4.2+.
There is no released Zope 2.13 version, yet, which includes the fix. (I hope it 
will can released soon.)

--
Mit freundlichen Grüßen
Michael Howitz



signature.asc
Description: Message signed with OpenPGP
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security vulnerabiity 20110928: Arbitrary Code Execution (pre-announcement)

2011-09-28 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The Zope security response team is pre-announcing a fix for a
vulnerability in Zope 2.12.x and Zope 2.13.x that allows execution of
arbitrary code by anonymous users.

This is a severe vulnerability that allows an unauthenticated attacker
to employ a carefully crafted web request to execute arbitrary commands
with the privileges of the Zope service.

Versions Affected:  Zope 2.12.x and Zope 2.13.x.

Versions Not Affected: Zope 2.9.x, Zope 2.10.x, Zope 2.11.x

This is a pre-announcement. Due to the severity of this issue we are
providing an advance warning of an upcoming patch, which will be
released 2011-10-04 15:00 UTC.


What you should do in advance of patch availability
===

Due to the nature of the vulnerability, the security team has decided to
pre-announce that a fix is upcoming before disclosing the details. This
is to ensure that concerned users can plan around the release.  As the
fix being published will make the details of the vulnerability public,
we are recommending that all users plan a maintenance window for 30
minutes either side of the announcement where your site is completely
inaccessible in which to install the fix.

Meanwhile, we STRONGLY recommend that you take the following steps to
protect your site:

- - Make sure that the Zope service is running with with minimum
  privileges. Ideally, the Zope and ZEO services should be able to
  write only to log and data directories.

- - Use an intrusion detection system that monitors key system resources
  for unauthorized changes.

- - Monitor your Zope, reverse-proxy request and system logs for unusual
  activity.

In this case, these are standard precautions that should be employed on
any production system.

Extra help
==

Should you not have in-house server administrators or a service
agreement looking after your website you can find consultancy companies
on plone.net.

There is also free support available online via Zope mailing lists and
the #zope IRC channels.

Questions and Answers
=

Q: When will the patch be made available?
A: The Security Team will release the patch at 2011-10-04 15:00 UTC.

Q. What will be involved in applying the patch?
A. Patches are made available as tarball-style archives that may be
unpacked into the “products” folder of a buildout installation and as
Python packages that may be installed by editing a buildout
configuration file and running buildout.  Patching is generally easy and
quick to accomplish.

Q: How was this vulnerability found?
A: This issue was found as part of a routine audit performed by the
Plone Security team.

Q: My site is highly visible and mission-critical. I hear the patch has
already been developed. Can I get the fix before the release date?
A: No. The patch will be made available to all users at the same time.
There are no exceptions.

Q: If the patch has been developed already, why isn't it already made
available to the public?
A: The Security Team is still testing the patch and running various
scenarios thoroughly. The team is also making sure everybody has
appropriate time to plan to patch their Zope installation(s). Some
consultancy organizations have hundreds of sites to patch and need the
extra time to coordinate their efforts with their clients.

Q: How does one exploit the vulnerability?
A: This information will not be made available until after the patch is
made available.

Q: Is there a CVE record for this vulnerability?
A: Not yet. This information will be added when available.

If you have specific questions about this vulnerability or its handling,
contact the Zope Security Team, security-respo...@zope.org.

To report potentially security-related issues, please send a mail to the
Zope Security Team at security-respo...@zope.org. The security team is
always happy to credit individuals and companies who make responsible
disclosures.

Information for vulnerability database maintainers
==

CVSS Base Score
7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:P/RL:O/RC:C)

Impact Subscore
6.4

Exploitability Subscore
10

CVSS Temporal Score
5.9

Credit
Alan Hoey


Tres.
- -- 
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6DlaMACgkQ+gerLs4ltQ7D+gCgz6WA6J44vxkhjnJGquBzCR33
nPgAn3cl0/do5VB+B6h9WmM22yIGOb7Z
=/HcQ
-END PGP SIGNATURE-

___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security Hotfix 20110622 released

2011-06-28 Thread Laurence Rowe

Last week, the Zope and Plone security teams announced the discovery
of a serious security issue affecting all recent versions of Zope and
Plone, as well as the planned release of a Hotfix to address this
issue to be made today, June 28th at 1500 UTC.

The Plone and Zope security teams are announcing that this security
hotfix is now available for download. For full instructions on how to
get and install the Hotfix, go here:
http://plone.org/products/plone-hotfix/releases/20110622

To find out more about the details of the issue, answers to common
questions and which versions of Zope and Plone are affected, please
see: http://plone.org/products/plone/security/advisories/20110622

Assistance in installing this hotfix is available free of charge via
IRC in #plone-tuneup. If you don't have in-house server administrators
or a service agreement supporting your website, you can find
consultancy companies under the providers section of Plone.org -
http://plone.org/support/network

On behalf of the Zope and Plone security teams,

Laurence
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security announcement update

2011-06-28 Thread Laurence Rowe

This is an update on today's security hotfix release.

The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011
(11:00am US EDT.) Updated versions of Zope 2 containing the security
fix will be released at the same time.

For details on which versions of Zope and Plone are affected, please
see: http://plone.org/products/plone/security/advisories/20110622

For installation instructions, please see:
http://plone.org/products/plone-hotfix/releases/20110622

On behalf of the Zope and Plone security teams,

Laurence
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security announcement

2011-06-22 Thread Laurence Rowe

On behalf of the Plone and Zope Security Teams I'd like to draw your
attention to a security announcement that has just been published.

This is a pre-announcement only, it does not contain any vulnerability
details. Your sites are a safe today as they were yesterday.  However,
as the problem that has been found is so serious we are giving you
advance warning that a patch is upcoming and recommending that you
plan a maintenance period for your sites to coincide with the full
announcement on Tuesday next week.

Full details are available at
http://plone.org/products/plone/security/advisories/pre-announcement-20110622

You can feel free to ask more questions on the plone-users mailing
list or in the #plone IRC channel about details and how to protect
yourself, but it is important to make a plan for this now.  It is
important to plan down-time at the time specified in that announcement
or your site will potentially be at risk - following the release of a
hotfix for the previous serious security vulnerability we received
reports of automated attacks on unpatched sites.


Laurence
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security for objects being called

2008-09-17 Thread Dieter Maurer

Thibaud Morel l'Horset wrote at 2008-9-15 19:44 -0400:
>  I'm trying to figure out how to prevent certain zope objects from being
>called directly but allow them to be called from another object.
>
>  Here is an example:
>  You have a ZPT page, let's originally call it 'test'
>  test calls a Script(Python) 'script'

Your options:

 * check in "script" that is was not called directly via the Web.
   You can do this by checking against "REQUEST['PUBLISHED']".

 * give your "script" a non-"None" "index_html" attribute
   Then, this "index_html" is called when accessed from the Web;
   otherwise, the "script"s "__call__" is called.

 * give your "script" and its "__call__" method an empty docstring.



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security for objects being called

2008-09-17 Thread Paul Winkler

On Tue, Sep 16, 2008 at 08:55:33AM -0400, Thibaud Morel l'Horset wrote:
> Thanks for the response Paul. I don't see a Proxy tab on Page Templates
> though, only DTML methods: do I need to install an additional product for
> that? or is it configured somewhere else for Templates?

Oops, right you are. Templates don't have proxy roles.

One obvious workaround: Add a dtml method that consists only of
.  Make this dtml method anonymously viewable, and give
it a proxy role of Authenticated.

Then make your real template, and the script it calls, both viewable
only by Authenticated.

-- 

Paul Winkler
http://www.slinkp.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security for objects being called

2008-09-16 Thread Thibaud Morel l'Horset

Thanks for the response Paul. I don't see a Proxy tab on Page Templates
though, only DTML methods: do I need to install an additional product for
that? or is it configured somewhere else for Templates?

On Tue, Sep 16, 2008 at 7:48 AM, Paul Winkler <[EMAIL PROTECTED]> wrote:

> On Mon, Sep 15, 2008 at 07:44:58PM -0400, Thibaud Morel l'Horset wrote:
> > Hello all,
> >
> >   I'm trying to figure out how to prevent certain zope objects from being
> > called directly but allow them to be called from another object.
> >
> >   Here is an example:
> >   You have a ZPT page, let's originally call it 'test'
> >   test calls a Script(Python) 'script'
> >
> >   I want any anonymous user to be able to call 'test' from the web but
> not
> > 'script'. However, I want 'test' to call 'script' and render the contents
> of
> > 'script' to anonymous users through 'test'. I tested this out by making
> the
> > 'script' View permission only available for Authenticated users, and as
> > anonymous I can neither hit 'test' nor 'script'.
> >
> >   Based on my understanding of the Zope security framework I don't think
> > this is possible... hopefully someone can tell me I'm wrong though and
> show
> > me how to do it :)
>
> http://plope.com/Books/2_7Edition/Security.stx#2-62
>
>
> --
>
> Paul Winkler
> http://www.slinkp.com
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security for objects being called

2008-09-16 Thread Paul Winkler

On Mon, Sep 15, 2008 at 07:44:58PM -0400, Thibaud Morel l'Horset wrote:
> Hello all,
> 
>   I'm trying to figure out how to prevent certain zope objects from being
> called directly but allow them to be called from another object.
> 
>   Here is an example:
>   You have a ZPT page, let's originally call it 'test'
>   test calls a Script(Python) 'script'
> 
>   I want any anonymous user to be able to call 'test' from the web but not
> 'script'. However, I want 'test' to call 'script' and render the contents of
> 'script' to anonymous users through 'test'. I tested this out by making the
> 'script' View permission only available for Authenticated users, and as
> anonymous I can neither hit 'test' nor 'script'.
> 
>   Based on my understanding of the Zope security framework I don't think
> this is possible... hopefully someone can tell me I'm wrong though and show
> me how to do it :)

http://plope.com/Books/2_7Edition/Security.stx#2-62


-- 

Paul Winkler
http://www.slinkp.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] security assertion needed for dictionary?

2007-06-18 Thread Doyon, Jean-Francois

Forgetting plone (which I know nothing about), dictionaries definitely
do NOT need security assertions (like lists, strings, integers and all
basic types).

Are you SURE it's a dictionary?  Most likely it just LOOKS like one when
represented as a string.

Try:

To see exactly what it is ... It might be an instance of some object
that has a __str__ that makes it look like a dictionary?

J.F.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
tomvon
Sent: June 18, 2007 11:36
To: zope@zope.org
Subject: Re: [Zope] security assertion needed for dictionary?

I have the exact same problem and have been unable to find a solution
anywhere. Were you ever able to resolve this? 

sfmcfar wrote:
> 
> I apologize for cross-posting from the plone newsgroup. but after 
> posting this I realized that this was more of a Zope issue than a 
> Plone one.  I wish I could cut-and-paste (development is on the other 
> side of a firewall), so instead I'll be as clear as I can.
> 
> Anyway, I have a Plone product that contains a method called
> getFeedSequence() that returns the result (a dictionary) from
> feedparser.parse() (Feedparser is the generic RSS/Atom parser).  
> 
> In my template, I can do:
> 
> 
>   
> 
> And see the string representation of the dictionary with no problem.  
> But if I try and access a member of the sequence:
> 
> 
>   
> 
> VerboseSecurity reports "The container has no security assertions.
> Access to None of {[the entire RSS dictionary goes here]} denied."
> 
> How can I have permission to access the entire sequence but not a 
> portion of it?  it appears to me that the sequence is fairly 
> straightforward - a few nested dictionaries, but that's it.  Does this

> make any sense?
> 
> 
> Thanks,
> 
> Stan
> 

-- 
View this message in context:
http://www.nabble.com/security-assertion-needed-for-dictionary--tf376206
1.html#a11178187
Sent from the Zope - General mailing list archive at Nabble.com.

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security assertion needed for dictionary?

2007-06-18 Thread tomvon



I have the exact same problem and have been unable to find a solution
anywhere. Were you ever able to resolve this? 


sfmcfar wrote:
> 
> I apologize for cross-posting from the plone newsgroup. but after posting
> this I realized that this was more of a Zope issue than a Plone one.  I
> wish I could cut-and-paste (development is on the other side of a
> firewall), so instead I'll be as clear as I can.  
> 
> Anyway, I have a Plone product that contains a method called
> getFeedSequence() that returns the result (a dictionary) from
> feedparser.parse() (Feedparser is the generic RSS/Atom parser).  
> 
> In my template, I can do:
> 
> 
>   
> 
> And see the string representation of the dictionary with no problem.  But
> if
> I try and access a member of the sequence:
> 
> 
>   
> 
> VerboseSecurity reports "The container has no security assertions.
> Access to None of {[the entire RSS dictionary goes here]} denied."
> 
> How can I have permission to access the entire sequence but not a
> portion of it?  it appears to me that the sequence is fairly
> straightforward - a few nested dictionaries, but that's it.  Does this
> make any sense?
> 
> 
> Thanks,
> 
> Stan 
> 

-- 
View this message in context: 
http://www.nabble.com/security-assertion-needed-for-dictionary--tf3762061.html#a11178187
Sent from the Zope - General mailing list archive at Nabble.com.

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] transfer zope security-properties

2007-06-08 Thread Dieter Maurer

Einar Næss Jensen wrote at 2007-6-4 19:53 +0200:
> ...
>How can I copy the associated securityinformation about a zclass
>instance into my new diskbased instance? Roles and permissions.

In a product, permissions are automatically created by
using them (to protect a method).

What roles do you have for ZClass'es. I am not aware of ZClass specific
roles

Roles are implemented by "AccessControl.Role.RoleManager".
Look there what methods may help you to do what you want.



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] transfer zope security-properties

2007-06-04 Thread Einar Næss Jensen


I'm on the run for transfering my poorly designed zclasses into real
diskbased ones. I've gotten pretty far in only a couple of weeks
thanks to this mailinglist and the irc channel on freenet. Thanks
everyone!

Today I have this question:
How can I copy the associated securityinformation about a zclass
instance into my new diskbased instance? Roles and permissions. I am
using localRoles heavily  with my zclasses, and would like this
information to be retained also.

Any pointers or hints of any kind are very welcome

Thanks!

Best regards
EInar Næss Jensen

--
--
Einar Næss Jensen
http://einarblog.homemade.no/einarblog
http://www.homemade.no
tlf: +47 90990249
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security class attribute

2006-01-26 Thread Peter Bengtsson

On 1/26/06, Brian Lloyd <[EMAIL PROTECTED]> wrote:
> The ClassSecurityInfo is a convenience to provide a
> halfway-sane spelling for a lot of ugliness under the
> hood in setting up security.
>
> IntializeClass (among other things) tells the CSI to
> apply itself to the class to set everything up, then it
> gets *removed* from the class.
>
> I can't tell for sure from your code, but I suspect that
> IntializeClass is being called on MyProduct *before* you
> are doing your class augmentation -- if you can defer the
> call until after you hack it, it should work.
>

No, I did the InitializeClass() *after* everything else.
So still no explaination. For what's going on.

> If for some reason you can't defer the call to InitializeClass,
> it should be safe to create another ClassSecurityInfo and apply
> it manually, e.g.:
>
>   class MyProduct(...):
>   security=ClassSecurityInfo()
>
>   
>
>   setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
>   xtra = ClassSecurityInfo()
>   xtra.security.declareProtected('View', 'FileManagement.html')
>   xtra.apply(MyProduct)

That's sort of what I've done now. My code looks something like this::

 class MyProduct(...):
 security = ClassSecurityInfo()
 security.declareProtected('View','blabla')
 def blabla():
  pass

 setattr(MyProduct, 'blabla.html', MyProduct.blabla)
 security.declareProtected('View', 'blabla.html')
 security.apply(MyProduct)
 InitializeClass(MyProduct)

...and now everything seems to be happy.

Thanks for the advice.





>
>
> HTH,
>
> Brian Lloyd[EMAIL PROTECTED]
> V.P. Engineering   540.361.1716
> Zope Corporation   http://www.zope.com
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> > Peter Bengtsson
> > Sent: Thursday, January 26, 2006 9:44 AM
> > To: [Zope]
> > Subject: [Zope] Security class attribute
> >
> >
> > Now in Zope 2.9 I get these warnings::
> >
> >  2006-01-26 14:31:45 WARNING Init Class
> > Products.MyProduct.Homesite.FilesContainer has a security declaration
> > for nonexistent method 'FileManagement'
> >
> > That's understandable because I've coded it like this::
> >
> >  class MyProduct(...):
> >  security=ClassSecurityInfo()
> >  security.declareProtected('View', 'FileManagement.html')
> >
> >  setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
> >
> > In other words, I create methods after the class has been defined and
> > squeeze them in manually. Very convenient.
> > To avoid the WARNING message above I thought I could use
> > declareProtected() _after_ the the class has been defined just as with
> > the additional method; but no luck :(
> > I tried this::
> >  class MyProduct(...):
> >  security=ClassSecurityInfo()
> >
> >  setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
> >  MyProduct.security.declareProtected('View', 'FileManagement.html')
> >
> > But I'm getting::
> >
> >  AttributeError: type object 'MyProduct' has no attribute 'security'
> >
> > Which I totally don't understand. To test my sanity I wrote this test
> > script which works fine::
> >
> >  class _Z:
> > def __init__(self):
> > self.z = "Z"
> > def declareProtected(self, *a,**k):
> > print "++declare something+"
> > def foo():
> > print "I'm being called"
> > return _Z()
> > class A:
> > security=foo()
> > def __init__(self):
> > pass
> > A.security.declareProtected("foo")
> > print dir(A)
> >
> > Which works like you'd expect with the followin output::
> >
> >  I'm being called
> >  ++declare something+
> >  ['__doc__', '__init__', '__module__', 'security']
> >
> > What's going on [differently] in Zope? What am I missing?
> >
> >
> >
> >
> >
> > --
> > Peter Bengtsson,
> > work www.fry-it.com
> > home www.peterbe.com
> > hobby www.issuetrackerproduct.com
> > ___
> > Zope maillist  -  Zope@zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
> >
>


--
Peter Bengtsson,
work www.fry-it.com
home www.peterbe.com
hobby www.issuetrackerproduct.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Security class attribute

2006-01-26 Thread Brian Lloyd

The ClassSecurityInfo is a convenience to provide a 
halfway-sane spelling for a lot of ugliness under the 
hood in setting up security.

IntializeClass (among other things) tells the CSI to 
apply itself to the class to set everything up, then it 
gets *removed* from the class.

I can't tell for sure from your code, but I suspect that 
IntializeClass is being called on MyProduct *before* you 
are doing your class augmentation -- if you can defer the 
call until after you hack it, it should work.

If for some reason you can't defer the call to InitializeClass, 
it should be safe to create another ClassSecurityInfo and apply 
it manually, e.g.:

  class MyProduct(...):
  security=ClassSecurityInfo()
 
  

  setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
  xtra = ClassSecurityInfo()
  xtra.security.declareProtected('View', 'FileManagement.html')
  xtra.apply(MyProduct)


HTH,

Brian Lloyd[EMAIL PROTECTED]
V.P. Engineering   540.361.1716  
Zope Corporation   http://www.zope.com 


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Peter Bengtsson
> Sent: Thursday, January 26, 2006 9:44 AM
> To: [Zope]
> Subject: [Zope] Security class attribute
> 
> 
> Now in Zope 2.9 I get these warnings::
> 
>  2006-01-26 14:31:45 WARNING Init Class
> Products.MyProduct.Homesite.FilesContainer has a security declaration
> for nonexistent method 'FileManagement'
> 
> That's understandable because I've coded it like this::
> 
>  class MyProduct(...):
>  security=ClassSecurityInfo()
>  security.declareProtected('View', 'FileManagement.html')
> 
>  setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
> 
> In other words, I create methods after the class has been defined and
> squeeze them in manually. Very convenient.
> To avoid the WARNING message above I thought I could use
> declareProtected() _after_ the the class has been defined just as with
> the additional method; but no luck :(
> I tried this::
>  class MyProduct(...):
>  security=ClassSecurityInfo()
> 
>  setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
>  MyProduct.security.declareProtected('View', 'FileManagement.html')
> 
> But I'm getting::
> 
>  AttributeError: type object 'MyProduct' has no attribute 'security'
> 
> Which I totally don't understand. To test my sanity I wrote this test
> script which works fine::
> 
>  class _Z:
> def __init__(self):
> self.z = "Z"
> def declareProtected(self, *a,**k):
> print "++declare something+"
> def foo():
> print "I'm being called"
> return _Z()
> class A:
> security=foo()
> def __init__(self):
> pass
> A.security.declareProtected("foo")
> print dir(A)
> 
> Which works like you'd expect with the followin output::
> 
>  I'm being called
>  ++declare something+
>  ['__doc__', '__init__', '__module__', 'security']
> 
> What's going on [differently] in Zope? What am I missing?
> 
> 
> 
> 
> 
> --
> Peter Bengtsson,
> work www.fry-it.com
> home www.peterbe.com
> hobby www.issuetrackerproduct.com
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security class attribute

2006-01-26 Thread Peter Bengtsson

Now in Zope 2.9 I get these warnings::

 2006-01-26 14:31:45 WARNING Init Class
Products.MyProduct.Homesite.FilesContainer has a security declaration
for nonexistent method 'FileManagement'

That's understandable because I've coded it like this::

 class MyProduct(...):
 security=ClassSecurityInfo()
 security.declareProtected('View', 'FileManagement.html')

 setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)

In other words, I create methods after the class has been defined and
squeeze them in manually. Very convenient.
To avoid the WARNING message above I thought I could use
declareProtected() _after_ the the class has been defined just as with
the additional method; but no luck :(
I tried this::
 class MyProduct(...):
 security=ClassSecurityInfo()

 setattr(MyProduct, 'FileManagement.html', MyProduct.FileManagement)
 MyProduct.security.declareProtected('View', 'FileManagement.html')

But I'm getting::

 AttributeError: type object 'MyProduct' has no attribute 'security'

Which I totally don't understand. To test my sanity I wrote this test
script which works fine::

 class _Z:
def __init__(self):
self.z = "Z"
def declareProtected(self, *a,**k):
print "++declare something+"
def foo():
print "I'm being called"
return _Z()
class A:
security=foo()
def __init__(self):
pass
A.security.declareProtected("foo")
print dir(A)

Which works like you'd expect with the followin output::

 I'm being called
 ++declare something+
 ['__doc__', '__init__', '__module__', 'security']

What's going on [differently] in Zope? What am I missing?





--
Peter Bengtsson,
work www.fry-it.com
home www.peterbe.com
hobby www.issuetrackerproduct.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security issue with manage_page_header

2006-01-24 Thread Martijn Pieters

On 1/24/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> My site, including the bug, is currently public and to be demoed in two
> days. Any assistance or guidance is greatly appreciated.

Switch on VerboseSecurity in etc/zope.conf; this will give you much
more info on what the security engine state is when denying access.

--
Martijn Pieters
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security issue with manage_page_header

2006-01-23 Thread Stacy . Ladnier

I have patched the Navigation and Management so the drop-down containing
'Set Preferences' and 'Logout' is displayed in the menu frame. The 'Set
Preferences' displays a customized page to the user to set a unique set
of options for my application. My product consists of several additional
roles and relies heavily on a nested structure of folders and acl_users
for granting access. 

Previously, under 2.7 I set default security for every store, which is a
top level container, and the entire site consists of several stores. I
have now upgraded to 2.8, created each store as a separate mount point
so it has its own ZODB, and security is set at the root level. 

However, now if a 'Custodian' with an account nested inside of a store
chooses to go to 'Set Preferences' they recieve an Unauthorized error.
Zope complains on the RESPONSE.setHeader() call contained in
manage_page_header. I have gone as far as to set __roles__=None on the
manage_page_header and preferences page in my Navigation patch. Only
those users with an account established at the root can gain access to
the preferences. Otherwise, they recieve an error. If I allow Anonymous
all permissions in the Security Tab (BiG bad no no in my case) then
users below the root level can gain access to the preferences page. In
my understanding of Security, I thought declaring __roles__=None would
also allow users to access an object without needing to pass security.
What could I possibly be missing


My site, including the bug, is currently public and to be demoed in two
days. Any assistance or guidance is greatly appreciated.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: Zope Security

2006-01-12 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I wrote:

> I would rate Zope overall as a reasonably secure platform.  Because the
> builk of it, including all the socket handling code, is written in
> If you look
> at the list of security alerts ("hotfixes", see
> 
> you will note that the *vast* majority of them have been relevant only
> for sites which allow less-than-fully-trusted users to write
> through-the-web code, a use case which most sites do not have.

and forgot to paste in the URL:

  http://www.zope.org/Products/Zope/

Sorry about that.


Tres.
- --
===
Tres Seaver  +1 202-558-7113  [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDxpc1+gerLs4ltQ4RAl2jAJ0eGt7KU18GVQOQPJDGbqerCL46rACePzzn
kGukMqBWrmWUWh+zl5LDnN0=
=Bld7
-END PGP SIGNATURE-

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: Zope Security

2006-01-12 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

michael nt milne wrote:
> Hi
> 
> Just a quick query about Zope security etc. I've got an installation on a
> Windows server using Apache, which also hosts internal email/data etc. This
> is behind a router/firewall. Just wondering if there are any Zope security
> issues that I should be aware of? How secure is Zope?
> 
> Thanks
> 
> Michael
> 
> PS This is a re-send as it bounced the first time round.

I would rate Zope overall as a reasonably secure platform.  Because the
builk of it, including all the socket handling code, is written in
Python, it does not suffer from buffer overflow problems.  If you look
at the list of security alerts ("hotfixes", see

you will note that the *vast* majority of them have been relevant only
for sites which allow less-than-fully-trusted users to write
through-the-web code, a use case which most sites do not have.

Zope's own security model is used to protect data within the ZODB from
improper access by site visitors.  It is possible to configure the model
for *very* fine-grained access control;  OTOH, such safely using such
power requires mastering a good deal of complexity.  Other frameworks
build atop Zope (CMF, Plone, Silva, CPS) present reduced views of that
flexibility, tailored to well-understood patterns.

For machines which handle both Zope and other sensitive data:

 - Zope is a long-running process:  the user-as-whom-Zope-runs (UAWZR),
   should ideally be a dedicated account, with read access to the Zope
   instance directory ("INSTANCE_HOME"), Zope software directorie, and
   neccesary system libraries, and write access only to the directories
   where it writes its data and logfiles (the '$INSTANCE_HOME/var').

 - Zope's own security model trusts the filesystem code implicitly,
   which means that you *don't* want to give arbitrary access to the
   software directory or the instance home.  You should probably block
   even read access to the 'var' subdirectory, as the database files
   there might expose sensitive data to prying eyes.

Note that none of this advice is Windows-specific.  One bit shich is:

  - When running a ZEO storage server, you need to protect the socket
on which it listens from unauthorized access.  On a Unix box, you
can make it a Unix-domain socket, which can be protected with
appropriate filesystem permissions.  If using a TCP socket (required
on Windows), you need to configure it to listen only on "trusted"
interfaces, e.g., localhost, or an IP address which is in a
carefully firewalled submet.

Tres.
- --
===
Tres Seaver  +1 202-558-7113  [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDxpSc+gerLs4ltQ4RAsxiAJ95KNhuahs581czEGzOYI4QJwPWHwCgxWbk
iTbs+bHf6ZngwFW3lCaboCY=
=+1h3
-END PGP SIGNATURE-

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope Security

2006-01-12 Thread michael nt milne

HiJust a quick query about Zope security etc. I've got an
installation on a Windows server using Apache, which also hosts
internal email/data etc. This is behind a router/firewall. Just
wondering if there are any Zope security issues that I should be aware
of? How secure is Zope?
ThanksMichaelPS This is a re-send as it bounced the first time round.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Zope security and packing the database

2005-10-12 Thread Chris Withers


Cameron Beattie wrote:

def main():
   urllib._urlopener = MyUrlOpener()
   url = "%s/Control_Panel/Database/manage_pack?days:float=%s" % \


*sigh* url whacking, bleugh!

If I use the backup user then urllib can't get the url due to no 
authentication so errors as follows:


What roles do you want to have the backup user to have?
What permissions are mapped to those roles?
What permissions are mapped to the Owner role?
Looking at the differences will tell you what's going on ;-)

PS: I wouldn't do zodb packing by whacking a url. There's a script 
that scripts with ZOpe now that opens up a ZEO connection and does the 
pack that way, that's what I'd do...


I don't use ZEO - can I just do the scripted packing bit without all the 
associated ZEO setup?


You should use ZEO! there's no sane reason not to...

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Zope security and packing the database

2005-10-11 Thread Cameron Beattie

I have created a script based on zope_pack from the Zope book which 
allows a username and password to be specified when it is called. I wish 
to create a user specifically for this purpose that only has the ability 
to pack the ZODB.


What permission is ZODB packing protected by?


I don't know. That's part of the problem. I can't see any permissions that 
allow or disallow this.


granted the backup role all available permissions. But the user can't 
login to http://mydomain.com/Control_Panel/Database/main/manage_workspace


I don't know what zope_pack looks like, can you show us?

vi zope_pack
#!/usr/bin/python
import sys, urllib
host = sys.argv[1]
days = sys.argv[2]
user = sys.argv[3]
pwd  = sys.argv[4]

class MyUrlOpener(urllib.FancyURLopener):
   def prompt_user_passwd(self, host, realm):
   return (user,pwd)
   def __init__(self, *args):
   self.version = "Zope Packer"
   urllib.FancyURLopener.__init__(self, *args)

def main():
   urllib._urlopener = MyUrlOpener()
   url = "%s/Control_Panel/Database/manage_pack?days:float=%s" % \
   (host, days)
   try:
   f = urllib.urlopen(url).read()
   except IOError:
   print "Cannot open URL %s, aborting" % url
   print "Successfully packed ZODB on host %s" % host
if __name__ == '__main__':
   main()


What error message do you get?


If I use a user that has the Owner role it works correctly.

If I use the backup user then urllib can't get the url due to no 
authentication so errors as follows:

 File "/usr/lib/python2.4/urllib.py", line 180, in open
   return getattr(self, name)(url)
 File "/usr/lib/python2.4/urllib.py", line 305, in open_http
   return self.http_error(url, fp, errcode, errmsg, headers)
 File "/usr/lib/python2.4/urllib.py", line 318, in http_error
   result = method(url, fp, errcode, errmsg, headers)
 File "/usr/lib/python2.4/urllib.py", line 615, in http_error_401
   return getattr(self,name)(url, realm)
 File "/usr/lib/python2.4/urllib.py", line 628, in retry_http_basic_auth
   return self.open(newurl)


Any tracebacks?


Nothing appears in the log.


PS: I wouldn't do zodb packing by whacking a url. There's a script that 
scripts with ZOpe now that opens up a ZEO connection and does the pack 
that way, that's what I'd do...


I don't use ZEO - can I just do the scripted packing bit without all the 
associated ZEO setup?


Regards

Cameron 


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Zope security and packing the database

2005-10-11 Thread Chris Withers


Cameron Beattie wrote:
I have created a script based on zope_pack from the Zope book which 
allows a username and password to be specified when it is called. I wish 
to create a user specifically for this purpose that only has the ability 
to pack the ZODB.


What permission is ZODB packing protected by?

granted the backup role all available permissions. But the user can't 
login to 
http://mydomain.com/Control_Panel/Database/main/manage_workspace 


I don't know what zope_pack looks like, can you show us?
What error message do you get?
Any tracebacks?

cheers,

Chris

PS: I wouldn't do zodb packing by whacking a url. There's a script that 
scripts with ZOpe now that opens up a ZEO connection and does the pack 
that way, that's what I'd do...


--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope security and packing the database

2005-10-10 Thread Cameron Beattie

I have created a script based on zope_pack from the Zope book which allows a 
username and password to be specified when it is called. I wish to create a 
user specifically for this purpose that only has the ability to pack the 
ZODB.


I've created a custom role and a user that has this role. Then I went to 
http://mydomain.com/Control_Panel/Database/main/manage_access and granted 
the backup role all available permissions. But the user can't login to 
http://mydomain.com/Control_Panel/Database/main/manage_workspace in order to 
pack the database. Obviously I'm missing something very fundamental here. 
Could anyone point me in the right direction please?


Regards

Cameron 


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security for ZPT-based Product

2005-07-28 Thread Milos Prudek


Right, checked an old (wrong) file in my product. Sorry for the mistake.


Yes, it works. Problems solved. Thank you Andreas and Jens.

--
Milos Prudek
http://www.spoxdesign.com - your web usability testing
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security for ZPT-based Product

2005-07-11 Thread Andreas Pakulat

On 11.Jul 2005 - 17:49:16, Jens Vagelpohl wrote:
> 
> On 11 Jul 2005, at 17:41, Andreas Pakulat wrote:
> >add a security.declareProtected('comment_add_form', ' >granted to Authenticated users only>')
> >Where the second string would be one of the rights listed on the
> >security tab with in the ZMI. If that right is granted to the
> >authenticated user only, you have your access restrictions.
> 
> It's the other way around. Permission first, then the method name.

Right, checked an old (wrong) file in my product. Sorry for the mistake.

Andreas

-- 
You are standing on my toes.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security for ZPT-based Product

2005-07-11 Thread Jens Vagelpohl



On 11 Jul 2005, at 17:41, Andreas Pakulat wrote:

add a security.declareProtected('comment_add_form', '')

Where the second string would be one of the rights listed on the
security tab with in the ZMI. If that right is granted to the
authenticated user only, you have your access restrictions.


It's the other way around. Permission first, then the method name.

jens

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security for ZPT-based Product

2005-07-11 Thread Andreas Pakulat

On 11.Jul 2005 - 18:27:57, Milos Prudek wrote:
> 
> 
> How can I manage permissions for imported ZPT files?
> 
> Relevant lines from my Product:
> 
> from AccessControl import ClassSecurityInfo
> class MyClass():
>   security=ClassSecurityInfo()
>   comment_add_form=PageTemplateFile('zpt/comment_add_form',globals())
> 
> My goal is to limit access to comment_add_form to the Authenticated role 
> only. 
> comment_add_form is on the filesystem, in my Product's zpt directory.

add a security.declareProtected('comment_add_form', '')

Where the second string would be one of the rights listed on the
security tab with in the ZMI. If that right is granted to the
authenticated user only, you have your access restrictions.

Andreas

-- 
Don't hate yourself in the morning -- sleep till noon.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] security for ZPT-based Product

2005-07-11 Thread Milos Prudek




How can I manage permissions for imported ZPT files?

Relevant lines from my Product:

from AccessControl import ClassSecurityInfo
class MyClass():
 security=ClassSecurityInfo()
 comment_add_form=PageTemplateFile('zpt/comment_add_form',globals())

My goal is to limit access to comment_add_form to the Authenticated role 
only. comment_add_form is on the filesystem, in my Product's zpt directory.


How can I achieve this? I understand zilch about ClassSecurityInfo...

(My Product is based on JMBoring template)

--
Milos Prudek
http://www.spoxdesign.com - your web usability testing
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security framework troubles

2005-05-07 Thread Dieter Maurer

Anders Bruun Olsen wrote at 2005-5-6 18:19 +0200:
> ...
>  security = ClassSecurityInfo()
>  security.setDefaultAccess("deny")
>  security.declareProtected("View Bookbase", "index_html")
> ...
>When the template tries to access container/title an access denied
>expection is raised. With VerboseSecurity I get this explanaition:
>
>Unauthorized: The container has no security assertions. Access to
>'title' of (Bookbase at /bookbase) denied.
>
>What exactly am I missing here?

Up to Zope 2.8, you cannot protect access to objects
of simple type (such the "title" attribute of type "string")
in an easy way.
Access to such attributes are dually protected:

   By the "Object Permission" (set via "security.declareObjectProtected")
   *and* the "setDefaultAccess".

"setDefaultAccess" can in fact take dictionaries and callables
as arguments. Read the Zope Developper Guide for the
types available for "__allow_access_to_unprotected_subobjects__"
and how they are interpreted.
"setDefaultAccess" just causes its argument to be assigned
to "__allow_acc...".

-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security framework troubles

2005-05-06 Thread Andreas Jung


--On Freitag, 6. Mai 2005 18:19 Uhr +0200 Anders Bruun Olsen 
<[EMAIL PROTECTED]> wrote:

It works if I do setDefaultAccess("allow"), but I don't want to allow
access by default and then just deny for those I know I want to deny
access to. I want it the other way around.
Why don't you write an accessor method getTitle() and  security assertion 
to the method?

-ah


pgpSBWuP18DNL.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security framework troubles

2005-05-06 Thread Anders Bruun Olsen

Hi,

I am attempting to make a zope product (a custom book-database for use
by my employer) and of course want to secure it. I have added this code
to my class:

  security = ClassSecurityInfo()
  security.setDefaultAccess("deny")
  security.declareProtected("View Bookbase", "index_html")
  security.declareProtected("View Bookbase", "standard_page")
  security.declareProtected("View management screens", "manage_main")

And also of course InitializeClass(Bookbase)

When the template tries to access container/title an access denied
expection is raised. With VerboseSecurity I get this explanaition:

Unauthorized: The container has no security assertions. Access to
'title' of (Bookbase at /bookbase) denied.

What exactly am I missing here?

It works if I do setDefaultAccess("allow"), but I don't want to allow
access by default and then just deny for those I know I want to deny
access to. I want it the other way around.

-- 
Anders
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS/O d--@ s:+ a-- C++ UL+++$ P++ L+++ E- W+ N(+) o K? w O-- M- V
PS+ PE@ Y+ PGP+ t 5 X R+ tv+ b++ DI+++ D+ G e- h !r y?
--END GEEK CODE BLOCK--
PGPKey: 
http://random.sks.keyserver.penguin.de:11371/pks/lookup?op=get&search=0xD4DEFED0
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security issues

2005-05-01 Thread cla

thanks for your help!
but is there any way to define
this permission to the folder that contain the
many pages templates that i want to restrict the use?

afecting the parent(folder) we affect also the children(document)
instead of defining for all template pages this rules.

thanks a lot..

Citando Andreas Jung <[EMAIL PROTECTED]>:

>
>
> --On Sonntag, 1. Mai 2005 13:02 Uhr +0100 cla <[EMAIL PROTECTED]> wrote:
>
> > Hi!
> >
> > Im developing a portal using, zope and i had been some
> > problems with the security of some template pages that
> > I have created. Those pages are accesible just puting
> > the correct path in the url, even if they are only for
> > manager access. I have already try the security tabs that
> > are associated to witch document, but with no sucess.
> >
> > What can i do to resolve this big problem.
>
> You have add security assertion to file based templates through .metadata
> files.
> If foo.pt is your template then create a file foo.pt.metadata containing:
>
> [security]
> View=0:Manager
>
> Means that the View permission is only granted to Managers and that the
> permission
> is not acquired (same the corresponding flag in the ZMI).
>
> -aj
>

SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e 
PTC). Basta instalar o SAPO Messenger e adicionar amigos!
Vá agora a : http://messenger.sapo.pt/sms/

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security issues

2005-05-01 Thread Andreas Jung


--On Sonntag, 1. Mai 2005 13:02 Uhr +0100 cla <[EMAIL PROTECTED]> wrote:
Hi!
Im developing a portal using, zope and i had been some
problems with the security of some template pages that
I have created. Those pages are accesible just puting
the correct path in the url, even if they are only for
manager access. I have already try the security tabs that
are associated to witch document, but with no sucess.
What can i do to resolve this big problem.
You have add security assertion to file based templates through .metadata 
files.
If foo.pt is your template then create a file foo.pt.metadata containing:

[security]
View=0:Manager
Means that the View permission is only granted to Managers and that the 
permission
is not acquired (same the corresponding flag in the ZMI).

-aj
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security issues

2005-05-01 Thread cla

Hi!

Im developing a portal using, zope and i had been some
problems with the security of some template pages that
I have created. Those pages are accesible just puting
the correct path in the url, even if they are only for
manager access. I have already try the security tabs that
are associated to witch document, but with no sucess.

What can i do to resolve this big problem.

thanks




SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e 
PTC). Basta instalar o SAPO Messenger e adicionar amigos!
Vá agora a : http://messenger.sapo.pt/sms/

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks

Tim Hicks said:
> Andreas Jung said:
>
>>> Module RestrictedPython.Guards, line 96, in handler
>>>   TypeError: object does not support item or slice assignment
>>>
>>> Does anyone have any idea what the problem is?
>
> Digging further...
>
> I made the TypeError a little more revealing on line 96 of
> RestrictedPython/Guards.py so it now shows the 'secattr' (method) being
> accessed, and its args::
>
> def handler(self, *args):
> try:
> f = getattr(self.ob, secattr)
> except AttributeError:
> raise TypeError, '%s | %s | %s' % (error_msg, secattr,
> str(args))
>
> The value of 'secattr' is apparently '__guarded_setitem__' in my case.
> So, it seems that the email.Message.Message class does not have a
> __guarded_setitem__ on it.  This is unsurprising.  I assume that it is
> supposed to get added during zope initialisation somewhere, right?  Can
> anybody point out where?

Well, I've fixed this with an awful hack.  My security assertions now look
like::

  from AccessControl import allow_module, allow_class
  from AccessControl import ModuleSecurityInfo

  def _secure_mapping(klass):
  """XXX Awful hack!!
  """
  klass.__guarded_getitem__ = klass.__getitem__
  klass.__guarded_setitem__ = klass.__setitem__
  klass.__guarded_delitem__ = klass.__delitem__

  ModuleSecurityInfo('email.Message').declarePublic('Message')
  from email.Message import Message
  _secure_mapping(Message)
  allow_class(Message)

That gets me to where I want (for now).  I'd still love the 'correct'
answer though.


Tim

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks

Andreas Jung said:

>> Module RestrictedPython.Guards, line 96, in handler
>>   TypeError: object does not support item or slice assignment
>>
>> Does anyone have any idea what the problem is?

Digging further...

I made the TypeError a little more revealing on line 96 of
RestrictedPython/Guards.py so it now shows the 'secattr' (method) being
accessed, and its args::

def handler(self, *args):
try:
f = getattr(self.ob, secattr)
except AttributeError:
raise TypeError, '%s | %s | %s' % (error_msg, secattr,
str(args))

The value of 'secattr' is apparently '__guarded_setitem__' in my case. 
So, it seems that the email.Message.Message class does not have a
__guarded_setitem__ on it.  This is unsurprising.  I assume that it is
supposed to get added during zope initialisation somewhere, right?  Can
anybody point out where?

Tim
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks

Andreas Jung said:

>> Module RestrictedPython.Guards, line 96, in handler
>>   TypeError: object does not support item or slice assignment
>>
>> Does anyone have any idea what the problem is?
>
> Move your code into an external method which is less painful than dealing
> with module security issues. As an alternative: look at
> TrustedExecutables.

Thanks Andreas.

I suppose I could move the code to a product (which I would prefer over an
external method), but it seems a little heavy-weight for my requirements.

In fact, generally, I think I would like to be able to use
email.Message.Message instances in TTW code, so if anyone does know what's
going wrong here, I'd be most pleased to hear.

Tim

ps Is it me or is the traceback I'm seeing not particularly helpful?  I
mean, I know that these objects *do* support the dictionary interface!
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Andreas Jung


--On Dienstag, 12. April 2005 16:18 Uhr +0100 Tim Hicks 
<[EMAIL PROTECTED]> wrote:

Hi,
I'm trying to import and use the email.Message.Message class in a zope
'Script (Python)'.
I have the following security assertions in my product code::
  from AccessControl import allow_module, allow_class
  from AccessControl import ModuleSecurityInfo
  ModuleSecurityInfo('email.Message').declarePublic('Message')
  from email.Message import Message
  allow_class(Message)
As a result, I can successfully import like::
  from email.Message import Message
I can even create an instance and call most methods on it::
  m = Message()
  m.set_payload('read that')
However, when I try to use the mapping interface, I get an error.  For
example, the following::
  m['from'] = '[EMAIL PROTECTED]'
produces a traceback like::
  Traceback (innermost last):
Module ZPublisher.Publish, line 101, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 39, in call_object
Module Shared.DC.Scripts.Bindings, line 306, in __call__
Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
Module Products.PythonScripts.PythonScript, line 323, in _exec
Module None, line 6, in AAA
 - 
 - Line 6
Module RestrictedPython.Guards, line 96, in handler
  TypeError: object does not support item or slice assignment
Does anyone have any idea what the problem is?
Move your code into an external method which is less painful than dealing
with module security issues. As an alternative: look at TrustedExecutables.
-aj

pgpIV267dYumO.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks

Hi,

I'm trying to import and use the email.Message.Message class in a zope
'Script (Python)'.

I have the following security assertions in my product code::

  from AccessControl import allow_module, allow_class
  from AccessControl import ModuleSecurityInfo

  ModuleSecurityInfo('email.Message').declarePublic('Message')
  from email.Message import Message
  allow_class(Message)

As a result, I can successfully import like::

  from email.Message import Message

I can even create an instance and call most methods on it::

  m = Message()
  m.set_payload('read that')

However, when I try to use the mapping interface, I get an error.  For
example, the following::

  m['from'] = '[EMAIL PROTECTED]'

produces a traceback like::

  Traceback (innermost last):
Module ZPublisher.Publish, line 101, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 39, in call_object
Module Shared.DC.Scripts.Bindings, line 306, in __call__
Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
Module Products.PythonScripts.PythonScript, line 323, in _exec
Module None, line 6, in AAA
 - 
 - Line 6
Module RestrictedPython.Guards, line 96, in handler
  TypeError: object does not support item or slice assignment

Does anyone have any idea what the problem is?


Tim

ps Not subscribed here, so please do cc me with replies.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] (Security) Hotfix_20050405 Released (URL correction)

2005-04-05 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Overview

  Zope Corporation has released a Zope hotfix product addressing a
  potential vulnerability discovered during a recent security audit
  of Zope 2.7 and 2.8.

Affected Versions

  The hotfix affects versions 2.7.5 and earlier of Zope on the 2.7
  release line, as well as versions 2.8a1 and 2.8a2 on the upcoming 2.8
  release line.  The vulnerability will be resolved in versions 2.7.6
  and 2.8b1.  We recommend that any site which permits untrusted users
  to write PythonScripts apply this hotfix, and upgrade to a fixed
  version of Zope as it becomes available.

Further Information

  Please see the "product README",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/README.txt
  for details on the vulnerability, and for instructions on installing
  the hotfix.

Downloading the Hotfix

  - "Unix tarball",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/Hotfix_20050405.tar.gz

  - "Windows ZIP archive",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-20050405/Hotfix_20050405.zip


Apologies for the earlier typoed URLs.

Tres Seaver.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  "Zope Dealers"   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUtIhGqWXf00rNCgRAitxAJ9Vualp5LLSrMQb1T799UWKa1UJoQCgmCJ2
EqH0Sj4RN0V8o1ldX6C1g90=
=1lBU
-END PGP SIGNATURE-
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] (Security) Hotfix_20050405 Released

2005-04-05 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Overview

  Zope Corporation has released a Zope hotfix product addressing a
  potential vulnerability discovered during a recent security audit
  of Zope 2.7 and 2.8.

Affected Versions

  The hotfix affects versions 2.7.5 and earlier of Zope on the 2.7
  release line, as well as versions 2.8a1 and 2.8a2 on the upcoming 2.8
  release line.  The vulnerability will be resolved in versions 2.7.6
  and 2.8b1.  We recommend that any site which permits untrusted users
  to write PythonScripts apply this hotfix, and upgrade to a fixed
  version of Zope as it becomes available.

Further Information

  Please see the "product README",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/README.txt
  for details on the vulnerability, and for instructions on installing
  the hotfix.

Downloading the Hotfix

  - "Unix tarball",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/Hotfix_20050405.tar.gz

  - "Windows ZIP archive",
http://www.zope.org/Products/Zope/Hotfix-2005-04-05/Hotfix-200405/Hotfix_20050405.zip


Tres Seaver.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation  "Zope Dealers"   http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUsvGGqWXf00rNCgRAt3qAJ42sH4BIPP9+S1g+ZnpwS9YopcggQCfYnvw
hXfT3SOxuL1y1adv5zmv3v8=
=smRT
-END PGP SIGNATURE-
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Q's about Zope security model tweaking

2001-01-25 Thread Chris Withers

J B Bell wrote:
> 
> I want to do authentication for a whole subset of the site (indeed, its
> entire public face really), but don't want a huge userfolder build from NIS.
> nisUserFolder doesn't seem like the right solution since I only want to use
> nis if they don't auth in the customary fashion.

Sounds like a job for LoginManager :-)

cheers,

Chris

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Q's about Zope security model tweaking

2001-01-24 Thread J B Bell


I'd like to make a 'fallback' authorization scheme for Zope.  That is:

If user does not exist in usual UserFolder, then
authenticate against custom module (NIS, in this case)
and give them Anonymous privileges.

I want to do authentication for a whole subset of the site (indeed, its
entire public face really), but don't want a huge userfolder build from NIS.
nisUserFolder doesn't seem like the right solution since I only want to use
nis if they don't auth in the customary fashion.

Can anyone give me some general pointers on this admittedly broad topic?

--JB

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security error when inserting object from my own Python product in objectmanager

2001-01-18 Thread Max M


I have made a Python product and when I add it to a folder there is no
problem, but when I try to add it to a zClass that subclasses a
objectManager i get a security error. Is there anything special I need to do
to add products to an objectManager ???

I get a password box, but if I just clicks cancel it inserts the object just
fine.

So it kind of works, but it looks somewhat sloppy to get a page full of
errormessages when inserting an object. ;-)

regards Max M

Traceback (innermost last):
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 187, in publish
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 171, in publish
  File C:\mxmZope\lib\python\ZPublisher\mapply.py, line 160, in mapply
(Object: index_html)
  File C:\mxmZope\lib\python\ZPublisher\Publish.py, line 112, in call_object
(Object: index_html)
  File C:\mxmZope\lib\python\OFS\DTMLMethod.py, line 172, in __call__
(Object: index_html)
  File C:\mxmZope\lib\python\DocumentTemplate\DT_String.py, line 528, in
__call__
(Object: index_html)
  File C:\mxmZope\lib\python\OFS\DTMLMethod.py, line 168, in __call__
(Object: twoCols)
  File C:\mxmZope\lib\python\DocumentTemplate\DT_String.py, line 528, in
__call__
(Object: twoCols)
  File C:\mxmZope\lib\python\DocumentTemplate\DT_Var.py, line 271, in render
(Object: right)
  File C:\mxmZope\lib\python\OFS\DTMLMethod.py, line 168, in __call__
(Object: right)
  File C:\mxmZope\lib\python\DocumentTemplate\DT_String.py, line 528, in
__call__
(Object: right)
  File C:\mxmZope\lib\python\OFS\DTMLMethod.py, line 194, in validate
(Object: index_html)
  File C:\mxmZope\lib\python\AccessControl\SecurityManager.py, line 139, in
validate
  File C:\mxmZope\lib\python\AccessControl\ZopeSecurityPolicy.py, line 159,
in validate
Unauthorized: title


Max M. W. Rasmussen,Denmark.   New Media Director
private: [EMAIL PROTECTED] work: [EMAIL PROTECTED]
-
Shipping software is an unnatural act


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope security alert and hotfix release

2000-12-18 Thread Brian Lloyd


Hi all -

  

  Peter Kelly has brought another potential security issue to
  our attention that is important enough to make a Hotfix
  available for those who allow untrusted users to edit DTML
  on their sites.

  The issue involves incorrect protection of a data updating method
  on Image and File objects. Because the method was not correctly
  protected, it was possible for users with DTML editing priveleges
  to update the raw data of a File or Image object via DTML though
  they did not have editing priveleges on the objects themselves.

  We recommend that any Zope site running versions of Zope up to and
  including 2.2.4 have this hotfix product installed to mitigate the
  issue if the site is accessible by untrusted users who have DTML
  editing privileges.

  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt

  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz

  The hotfix will work for all versions of Zope 2.1.x and higher. A
  Zope 2.2.5 release later this week will contain the fix for this
  issue (as well as all hot fixes to date) and you will be able to
  uninstall the hot fix after upgrading.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: ANNOUNCE: Zope security alert and hotfix release

2000-12-18 Thread Gregor Hoffleit

On Mon, Dec 18, 2000 at 10:30:56AM -0500, Brian Lloyd wrote:
> > >   The hotfix will work for all versions of Zope 2.2.0 and higher. A
> > >   future version of Zope will contain the fix for this
> > >   issue, and you will be able to uninstall the hot fix after upgrading.
> >
> > This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix
> > won't work, and that no fix exists. Is that correct, or is the fix simply
> > not tested with 2.1.6 ?
> >
> > Gregor
> 
> Sorry - 2.1.6 _is_ vulnerable, and the Hotfix will work for
> 2.1.6. I'll update that README.

Thanks!

Gregor

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: ANNOUNCE: Zope security alert and hotfix release

2000-12-18 Thread Brian Lloyd


> >   The hotfix will work for all versions of Zope 2.2.0 and higher. A
> >   future version of Zope will contain the fix for this
> >   issue, and you will be able to uninstall the hot fix after upgrading.
>
> This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix
> won't work, and that no fix exists. Is that correct, or is the fix simply
> not tested with 2.1.6 ?
>
> Gregor

Sorry - 2.1.6 _is_ vulnerable, and the Hotfix will work for
2.1.6. I'll update that README.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: [Zope-Annce] ANNOUNCE: Zope security alert and hotfix release

2000-12-18 Thread Gregor Hoffleit

On Fri, Dec 15, 2000 at 02:02:08PM -0500, Brian Lloyd wrote:
>   A security issue has recently come to our attention (thanks to
>   Erik Enge for identifying this) that affects Zope versions up to
>   and including Zope 2.2.4.

...

>   The hotfix will work for all versions of Zope 2.2.0 and higher. A
>   future version of Zope will contain the fix for this
>   issue, and you will be able to uninstall the hot fix after upgrading.

This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix
won't work, and that no fix exists. Is that correct, or is the fix simply
not tested with 2.1.6 ?

Gregor

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope security alert and hotfix release

2000-12-15 Thread Brian Lloyd


Hi all -

  A security issue has recently come to our attention (thanks to
  Erik Enge for identifying this) that affects Zope versions up to
  and including Zope 2.2.4.

  The issue involves the computation of local roles.  In some situations
  the computation was not climbing the correct hierarchy of folders,
  sometimes granting local roles inappropriately.  This could allow
  users with privileges in one folder to gain the same privileges in
  another folder.

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.2.4  have this hotfix product installed
  to mitigate the issue.

  - http://www.zope.org/Products/Zope/Hotfix_2000-12-15/README.txt

  -
http://www.zope.org/Products/Zope/Hotfix_2000-12-15/Hotfix_2000-12-15.tgz

  The hotfix will work for all versions of Zope 2.2.0 and higher. A
  future version of Zope will contain the fix for this
  issue, and you will be able to uninstall the hot fix after upgrading.

  Note that we will be making a Zope 2.2.5 release early next week
  that includes the fix for this issue as well as the issue addressed
  by the recent 12/08 hotfix.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] SECURITY alert and hotfix release

2000-12-09 Thread Andrew Kuchling


On Fri, Dec 08, 2000 at 05:40:13PM -0500, Shane Hathaway wrote:
> AFAICT 2.1.6 is not vulnerable.

Verifying this on our server, this turns out to be quite correct; Zope
2.1.6 does not demonstrate the problem repaired by the hotfix.

--amk

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] SECURITY alert and hotfix release

2000-12-08 Thread Brian Lloyd


Hi all,

  Aleksander Salwa has brought a security issue to our attention
  that affects all Zope versions up to and including Zope 2.2.4.
  We have released a Hotfix product to address the issue that can
  be downloaded from zope.org. (Thanks to Aleksander for finding
  this and to Shane Hathaway for his quick response in resolving
  it!)

  The issue involves security registration of "legacy" names for
  certain object constructors such as the constructors for DTML
  Method objects. Security was not being applied correctly for the
  legacy names, making it possible to call those constructors without
  the permissions that should have been required. This issue could allow
  anonymous users with enough internal knowledge of Zope to instantiate
  new DTML Method instances through the Web.

  The hotfix for this issue is available on the zope.org web site:

o
http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.2.4  have this hotfix product installed
  to mitigate the issue.

  The hotfix will work for all versions of Zope 2.2.0 and higher. A
  future version of Zope will contain the fix for this
  issue, and you will be able to uninstall the hot fix after upgrading.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security - am I going crazy ?

2000-12-08 Thread Aleksander Salwa

On Fri, 8 Dec 2000, Shane Hathaway wrote:

> You're right.  It's because of a "legacy" issue.  Here's a quick patch
> that plugs the hole:
> 
[...]
> 
> This is not perfect, however.  I'm working on a better solution.

Thanks a lot !
It works for me.

[EMAIL PROTECTED]

/--\
| `long long long' is too long for GCC |
\--/

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security - am I going crazy ?

2000-12-08 Thread Shane Hathaway

Aleksander Salwa wrote:
> Few days ago I found that on site that I'm currently working on,
> everybody can add DTMLMethods and Documents (and maybe do more, I haven't
> checked yet, but I think it's bad enough !) by simply entering URL
> http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1

You're right.  It's because of a "legacy" issue.  Here's a quick patch
that plugs the hole:

Index: ProductContext.py
===
RCS file: /cvs-repository/Zope2/lib/python/App/ProductContext.py,v
retrieving revision 1.27
diff -u -r1.27 ProductContext.py
--- ProductContext.py   2000/11/20 15:36:35 1.27
+++ ProductContext.py   2000/12/08 18:46:38
@@ -195,7 +195,7 @@
 else: name=method.__name__
 if not OM.__dict__.has_key(name):
 setattr(OM, name, method)
-setattr(OM, name+'__roles__', pr)
+setattr(OM, method.__name__+'__roles__', pr)

 if type(initial) is tt: name, initial = initial
 else: name=initial.__name__  

This is not perfect, however.  I'm working on a better solution.

Shane

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security - am I going crazy ?

2000-12-08 Thread Aleksander Salwa



Few days ago I found that on site that I'm currently working on,
everybody can add DTMLMethods and Documents (and maybe do more, I haven't
checked yet, but I think it's bad enough !) by simply entering URL
http://www.mysite.com/manage_addDTMLMethod?id=q1&title=qq1&file=qqq1

After that Zope sends 'Location' header to redirect user to 'manage_main'.
That (manage_main) causes 'Unauthorized' exception.
But that object 'q1' was added !!!

I was thinking that it's a bug in Product. (I use LoginManager, LocalFS,
SiteAccess). I decided to upgrade my Zope from 2.2.1 to 2.2.4 and upgrade
all Products (one good thing so far ;)). No success.
So I did fresh install of Zope 2.2.4, without additional Products, with
with brand new Data.fs. Problem persists !
I have default security settings, so Anonymous can't "Add Documents,
Images, and Files".

Of course user can put any DTML in this object - you know the
consequences... (and if the folder where this object is located is owned
by high-privileged user, then this object is owned by that user too
(through acquisition)).
I just checked: I can't add Folders this way.

What's going on ?!? Have I found very big security hole, or just
I'm going crazy ? :(

P.S.
Just take a look at object with id "haveIFoundABug" in root level
of www.zope.org that I created few seconds ago...

[EMAIL PROTECTED]

/--\
| `long long long' is too long for GCC |
\--/


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security problem?

2000-12-07 Thread Chris Withers

Might be a security problem...

Are you allowed to access that header from inside your index_html?

cheers,

Chris

Andreas Jung wrote:
> 
> Inside a product my index_html is set to
> 
>"index_html=HTMLFile('index_html',globals())"
> 
> The index_html.dtml calls . This DTML method is
> available in the top-level hierarchy. However When I call index_html Zope
> complains with a KeyError/standard_html_header.  When I remove the " standard_html_header>" call everything works fine.
> 
> Any idea why aquisition won't work in this case ?
> 
> Andreas
> 
> ___
> Zope maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security

2000-11-29 Thread Dieter Maurer

seb bacon writes:
 > * Dieter Maurer <[EMAIL PROTECTED]> [001128 00:12]:
 > > Bowyer, Alex writes:
 > >  > All I need to do is to make certain ZClass methods have a certain level of
 > >  > security and the other methods of the class have no security.
 > 
 > > It is quite good explain in the upcoming Zope book.
 > 
 > In fact, I think Alex was referring to ZClass security, which isn't
 > covered in the book...
I think, I saw a good description of ZClass security in the Zope book:
in the chapter about ZClasses.

Dieter

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security

2000-11-29 Thread Robin Becker


In article <[EMAIL PROTECTED]>, seb bacon
<[EMAIL PROTECTED]> writes
>* Dieter Maurer <[EMAIL PROTECTED]> [001128 00:12]:
>> Bowyer, Alex writes:
>>  > Can some one explain how the Define Permissions screen works. I really 
>don't
>>  > understand the concept behind it, what does it mean for a permission 
>setting
>>  > to own a permission?
>>  > 
>>  > All I need to do is to make certain ZClass methods have a certain level of
>>  > security and the other methods of the class have no security.
>
>> It is quite good explain in the upcoming Zope book.
>
>In fact, I think Alex was referring to ZClass security, which isn't
>covered in the book, and is something I've never go to the bottom of either.
>on the 'define permissions' tab, it says:
>
>   The table below has two columns. The first column lists the 
>   permissions for this object. The second column specifies the
>   permissions that should have this permission in this product 
>   or ZClass. 
>
>I'm probably being intellectually lazy or something, but that doesn't
>make any sense to me at all.
...
I also find this a bit unobvious. I guess it must be a mapping from
permissions --> permissions, but I can't see what it's supposed to mean
or accomplish.

Proxies I can almost cope with, ie this is a trusted method make it
behave as though it were ZopeGod I can understand.
-- 
Robin Becker

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security

2000-11-29 Thread seb bacon

* Dieter Maurer <[EMAIL PROTECTED]> [001128 00:12]:
> Bowyer, Alex writes:
>  > Can some one explain how the Define Permissions screen works. I really don't
>  > understand the concept behind it, what does it mean for a permission setting
>  > to own a permission?
>  > 
>  > All I need to do is to make certain ZClass methods have a certain level of
>  > security and the other methods of the class have no security.

> It is quite good explain in the upcoming Zope book.

In fact, I think Alex was referring to ZClass security, which isn't
covered in the book, and is something I've never go to the bottom of either.
on the 'define permissions' tab, it says:

   The table below has two columns. The first column lists the 
   permissions for this object. The second column specifies the
   permissions that should have this permission in this product 
   or ZClass. 

I'm probably being intellectually lazy or something, but that doesn't
make any sense to me at all.

seb.

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security

2000-11-27 Thread Dieter Maurer

Bowyer, Alex writes:
 > Can some one explain how the Define Permissions screen works. I really don't
 > understand the concept behind it, what does it mean for a permission setting
 > to own a permission?
 > 
 > All I need to do is to make certain ZClass methods have a certain level of
 > security and the other methods of the class have no security.
It is quite good explain in the upcoming Zope book.

Dieter

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security

2000-11-26 Thread Bowyer, Alex


Can some one explain how the Define Permissions screen works. I really don't
understand the concept behind it, what does it mean for a permission setting
to own a permission?

All I need to do is to make certain ZClass methods have a certain level of
security and the other methods of the class have no security.

Any tips, advice or best of all EXAMPLES most appreciated!

Thanks

Alex

==
Alex Bowyer
IT Contractor, Logica Australasia
Tel: +61 2 9202 8130
Fax: +61 2 9922 7466
E-mail : [EMAIL PROTECTED]
WWW: http://www.logica.com.au/
==

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security problems .. should be fairly easy...

2000-11-21 Thread Dieter Maurer

Bowyer, Alex writes:
 > 
 > I can't find any examples in any of the Zope documentation
 > about how to manage permissions for class methods. Does anyone know where I
 > could find such documentation or examples if there are any?
Did you look at the upcoming Zope book?

Dieter

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security problems .. should be fairly easy...

2000-11-20 Thread Bowyer, Alex


I know I am posting quite a lot of questions to the list lately, sorry about
that, it's just that I can save myself hours of trial-and-error coding when
I get quick answers from list, so I hope you don't mind. It seems to be the
fastest way to learn.

I have a news page ZClass and a news article ZClass, both of which have
several DTML methods. All methods apart from index_html should require a
particular user role, "UAAdmin", to be held by the current user (thee
mathods are all for editing anf manging the news page and articles). The
index_html methods (which display the news article) should be available for
anonymous access.

I have been stuck with this for over a week now, I have tried all sort of
combinations of permissions, defined permissions and user roles, but I can't
figure it out and I can't find any examples in any of the Zope documentation
about how to manage permissions for class methods. Does anyone know where I
could find such documentation or examples if there are any?

The whole thing's very confusing, but here's what I've worked out so far.
Maybe someone could put me right and/or fill in the gaps?
I think what I need to do is got the Define Permissions tab for each method,
and for the View permission dropdown I should select View for the index_html
method, and some other permission X for every other method. This other
permission X should only be granted to the UAAdmin role. The question is,
what is X to put in the dropdown, and how to assign it to UAAdmin. How would
I go about creating a new permission, perhaps "Manage news pages", and how
could I then assign that to UAAdmin? Would it then appear in the drop-down?
Is this the right approach? How would I finish this off? Am I barking up the
wrong tree? 

Any suggestions or advice would be most welcome.

Thanks for your patience with newbies like me!!

Alex

==
Alex Bowyer
IT Contractor, Logica Australasia
Tel: +61 2 9202 8130
Fax: +61 2 9922 7466
E-mail : [EMAIL PROTECTED]
WWW: http://www.logica.com.au/
==

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security problems

2000-11-17 Thread Aleksander Salwa

On Fri, 17 Nov 2000, Bowyer, Alex wrote:
> I have one method index_html which should be viewable by anonymous.
> All other methods should only be viewable when a username/password is
> entered for someone with the role I have called UAAdmin
[...]
> I can only seem to get full access to all pages (if I grant a proxy on
> index_html) or password access required on all items (by specifying
> permissions for the class instance) neither of which are the correct
> solution.

You can define different security settings for every method in your ZClass
using 'Define Permissions' management tab. These permissions are unique
for every method. There you can define, which permission is needed to view
your method.

[EMAIL PROTECTED]

/--\
| `long long long' is too long for GCC |
\--/

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security problems

2000-11-16 Thread Bowyer, Alex


I am having some problems with getting the right security settings for my
ZClass.
I have one method index_html which should be viewable by anonymous.
All other methods should only be viewable when a username/password is
entered for someone with the role I have called UAAdmin
One thing that is causing complications is that the index_html makes use of
a few dtml-vars, an external Python method, and one view method also called
index_html from another class. It may be I need to change these items'
permissions as well.

I can only seem to get full access to all pages (if I grant a proxy on
index_html) or password access required on all items (by specifying
permissions for the class instance) neither of which are the correct
solution.

Could someone tell me the right combination of permissions, define
permissions and roles I need to get this working.. it's all getting a bit
confusing.

Thanks

Alex

==
Alex Bowyer
IT Contractor, Logica Australasia
Tel: +61 2 9202 8130
Fax: +61 2 9922 7466
E-mail : [EMAIL PROTECTED]
WWW: http://www.logica.com.au/
==

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security dilemma?

2000-11-09 Thread Jason C. Leach



hi,

do you have these two:
http://www.zope.org/Members/michel/ZB/
http://zdp.zope.org/projects/zqr

j.
..
. Jason C. Leach
... University College of the Cariboo.
.. 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security and Acquisition

2000-11-09 Thread Charlie Wilkinson


> [Charlie Wilkinson]
> 
> | Greetings,
> 
> Hola!
> 
> | Now, referring to figure 1 (above :-), changes to security settings
> | for the acl_test folder are having no effect on access to index_html.
> | Only when I change the security settings on index_html itself, can I
> | control access to it.
> 
> Can it have something to do with acquirement of permission settings?
> (The leftmost column on the security tab).

Hi Morten,
Yes.  It's acting as if those little boxes were not checked! :)  As I was
replying to Jeff in a prior message, the mystery goes deeper.  I grabbed a
fresh copy of the latest CVS version, built it, set a superuser password
and ran it.  I then tried to visit the default index_html "Welcome to
Zope" page and was presented with a BASICAUTH type login box.  If I
explicitly set anonymous View permissions for the index_html (Welcome
to Zope) page, then I get in with no login as expected.  That isn't
normal is it?  Root folder objects would appear to be having the same
security setting acquisition problems as I was finding previously with
sub-folders and LoginManager.

I realize I'm on the bleeding edge of Zope running the CVS version,
but I heard the 2.2.3 version is due out RSN and figured maybe a little
"new version" pain now would be easier than upgrade pain later.  I'd sure
rather be saying "Here's a patch" than just "It's broke", but alas I
don't grok Python that well yet.  ("It's broke" still offers *some*
value, right?  :-)

To the Zope developers:  It seems pretty clear that Zope v2.2.cvs is
broken in regards to security settings acquisition.  Should I post to
zope-dev, or is there already a sufficient awareness/understanding of
the problem?

Thanks,
Charlie

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security and Acquistition Problem

2000-11-09 Thread Charlie Wilkinson

On Thu, Nov 09, 2000 at 12:03:27PM -0500, Jeff Hoffman waxed eloquent:
> On Thu, 9 Nov 2000, Charlie Wilkinson wrote:
[snip...]
> > So what this boils down to is that as of v2.2.whatever, an acl_users
> > folder apparently does not protect the folder it's in (parent folder),
> > but only it's sibling objects and below.  Meaning that instead of setting
> > permissions on the parent object and being done with it, one now has to
> > set permissions for each sibling.  In my case that's 50 or more objects
> > and I'm not done coding yet.  Ouch!  This *can't* be right, can it?
> > I know there's a lot that's happened with the security model, so I'm
> > really *really* hoping this is just a bug that's crept in.
> 
> This is the way Zope has always behaved, unless my memory is failing me.
> Here's a thought to consider: In your model, the root acl_users would have
> to appear _above_ the root folder (/) in the hierarchy for things to
> function correctly. As it stands, acl_users in the root folder affects all
> things in the root folder and below. As it stands, your acl_users (in
> acl_test) affects all things in your acl_test folder and below. This is
> consistent.

Thanks for your response Jeff.  It seems we are in agreement.  The scope
of an acl_users folder needs to include its siblings and parent folder.
The only logical alternative I can think of is if the functionality
of acl_users, LoginManager, or whatever, was provided by some modular
component of the parent folder itself, instead of being represented as
just another object _in_ that folder.

Anyway, I did a sanity check against v2.1.2 using these exact steps:

1. Create an access_test folder with user folder and user interface.
2. Navigate to security tab of access_test.
3. Create new role "User", and allow "User" to View Objects and Access
   Contents Info.  Bar access by "Anonymous" by turning off "Acquire
   Permission Settings" for View Objects and Access Contents Info.
3. Create user "joe", password "blow", with role "User"
4. Bring up new browser window, enter the URL for access_test.

In that scenario, joe can view anything within the acl_test folder,
while anonymous users cannot, due to the objects within that folder
acquiring their security settings from the acl_test folder itself.
*That's* what I want!  It's *not* what 2.2.cvs is doing.

In fact it's even worse than previously described.  After pulling down
a completely new CVS image of Zope, I just happened to try visiting
the root URL of the new site.  Result?  I was prompted for a password
to visit the root (Welcome to Zope) page of a pristine, new Zope site.
I think this must somehow all fit together.  Unless there is something
critical about the new security model that I have missed, it looks like
there's a bug here.

> If you have 50 or so objects, and setting permissions is the obstacle,
> simply write a Python Method (or DTML, if you prefer) to iterate over the
> 50 and tweak them. Then, you won't have to manually do the work through
> the management interface.

As I think you indicated above, the type of security/acquisition model
that seems to be in place for 2.2.cvs poses far more serious problems
(i.e., needing acl_users *above* the root folder) than just setting
permissions on a bunch of modules.

Thanks again Jeff.

-cw-

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security dilemma?

2000-11-09 Thread Zhen Zhou


please bear with my ignorance, because this is the first couple of day
I ever try Zope. It is super cool, but I should say that the
documentation is far from satisfaction.
Here is my problem:
The only API I can find to alter the properties of some object is
"manage_changeProperties". However, in order to execute this method in
my script, I have to give the "Manage properties" permission to
everyone, which may lead to severe security problems because the
method "manage_changeProperties" is web accessible, so a malicious
user can bypass my script and execute this method to change the
properties to whatever he want.
My questions are:
1, is there any API that can change properties of some object but can
not be accessed from the web?
2, is there any way to store a small piece of persistent data beside
using properties?

Thanx.
Derek



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security and Acquisition

2000-11-09 Thread Morten W. Petersen


[Charlie Wilkinson]

| Greetings,

Hola!

| Now, referring to figure 1 (above :-), changes to security settings
| for the acl_test folder are having no effect on access to index_html.
| Only when I change the security settings on index_html itself, can I
| control access to it.

Can it have something to do with acquirement of permission settings?
(The leftmost column on the security tab).

HTH.

-Morten

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security and Acquistition Problem

2000-11-09 Thread Jeff Hoffman

On Thu, 9 Nov 2000, Charlie Wilkinson wrote:

> / (Root Folder)
>   / acl_test (ACL Test Folder)
>   acl_users (User Folder)
>   index_html (Test Document)
> 
> Now, referring to figure 1, changes to security settings for the acl_test
> folder are having no effect on access to index_html.  Only when I change
> the security settings on index_html itself, can I control access to it.
> 
> So what this boils down to is that as of v2.2.whatever, an acl_users
> folder apparently does not protect the folder it's in (parent folder),
> but only it's sibling objects and below.  Meaning that instead of setting
> permissions on the parent object and being done with it, one now has to
> set permissions for each sibling.  In my case that's 50 or more objects
> and I'm not done coding yet.  Ouch!  This *can't* be right, can it?
> I know there's a lot that's happened with the security model, so I'm
> really *really* hoping this is just a bug that's crept in.

This is the way Zope has always behaved, unless my memory is failing me.
Here's a thought to consider: In your model, the root acl_users would have
to appear _above_ the root folder (/) in the hierarchy for things to
function correctly. As it stands, acl_users in the root folder affects all
things in the root folder and below. As it stands, your acl_users (in
acl_test) affects all things in your acl_test folder and below. This is
consistent.

If you have 50 or so objects, and setting permissions is the obstacle,
simply write a Python Method (or DTML, if you prefer) to iterate over the
50 and tweak them. Then, you won't have to manually do the work through
the management interface.

> Thanks for any clues,

Hope this helps,

>   Charlie

--Jeff

---
Jeff K. Hoffman   704.849.0731 x108
Chief Technology Officer  mailto:[EMAIL PROTECTED]
Going Virtual, L.L.C. http://www.goingv.com/

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security and Acquisition

2000-11-09 Thread Charlie Wilkinson


Greetings,
I know this a very busy list, but I'm hoping someone can take a moment to
address this.  I had posted about this on Zope-dev because I'm running the
CVS version, but no response.  Also more research has yielded more info.
I first discovered this issue with LoginManager, but the same problem
occurs with standard acl_users too.

First, 'Figure 1:'

/ (Root Folder)
/ acl_test (ACL Test Folder)
acl_users (User Folder)
index_html (Test Document)

Now, referring to figure 1 (above :-), changes to security settings
for the acl_test folder are having no effect on access to index_html.
Only when I change the security settings on index_html itself, can I
control access to it.

So what this seemingly boils down to is that as of v2.2.whatever,
an acl_users folder does not protect its siblings and their kids by
acquisition of security settings from the parent folder.  Instead,
sibling objects must have their security explicitly set.  Meaning that
instead of setting permissions on the parent object and being done
with it, one now has to set permissions for each and every sibling.
In my case that's over 50 objects and I'm not done coding yet.  Ouch!
This *can't* be right, can it?

Thanks for any clues,
Charlie

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)
-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security and Acquistition Problem

2000-11-09 Thread Charlie Wilkinson


Greetings,
I had posted about this on Zope-dev because I'm running the CVS version,
but no response there.  Also more research has yielded more info.
I first discovered this issue with LoginManager, but the same problem
occurs with standard acl_users too.

First, 'Figure 1:'

/ (Root Folder)
/ acl_test (ACL Test Folder)
acl_users (User Folder)
index_html (Test Document)

Now, referring to figure 1, changes to security settings for the acl_test
folder are having no effect on access to index_html.  Only when I change
the security settings on index_html itself, can I control access to it.

So what this boils down to is that as of v2.2.whatever, an acl_users
folder apparently does not protect the folder it's in (parent folder),
but only it's sibling objects and below.  Meaning that instead of setting
permissions on the parent object and being done with it, one now has to
set permissions for each sibling.  In my case that's 50 or more objects
and I'm not done coding yet.  Ouch!  This *can't* be right, can it?
I know there's a lot that's happened with the security model, so I'm
really *really* hoping this is just a bug that's crept in.

Thanks for any clues,
Charlie

-- 
~
Charlie Wilkinson - [EMAIL PROTECTED] - N3HAZ
Parental Unit, UNIX Admin, Homebrewer, Cat Lover, Spam Fighter, HAM, SWLer...
Visit the Radio For Peace International Website: http://www.rfpi.org/
~
CLOBBER INTERNET SPAM:  See!! 
   Join!! 
~
QOTD:
"Bush is a big corporation disguised as a human being running for president."
-- Ralph Nader on David Letterman (9/28/00)

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security quickie

2000-10-16 Thread Manuel Amador (Rudd-O)



I too have a doubt about security stuff.
It so happens that I have this setup
rootfolder
+   myfolderobjects
  +    inheritedstuff
i have an user X in root folder.  Roles are so that anonymous doesn't
have permission for anything.   Then, there is a user role, that
is allowed some stuff, and i assign local role of User to X into Inheritedstuff. 
He now can see index_html.  I proxy-role index_html to the User role
so i can  that is into myfolderobjects, being
somestuff a DTMLmethod.
It works.  X can access index_html which in turn includes somestuff
from its parent folder, and I did not have to give him explicit rights
to any of the objects into myfolderobjects
 
BUT, if I try to , it won't work.  Note
that the User role does have permission to run SQL methods.
That's in my point of view, a mistake in Zope's security policy. 
If i proxy-role a document or method, i should be able to acquire anything
specified into it, from its parent hierarchy.
Please help or tip.  Thanks =)
 
Seb Bacon wrote:
Does Zope security provide a way of restricting what
objects are listed to
an authenticated user inside the Zope 'manage' interface?  I'm
getting my
head all twisted up over this security / proxy roles /local roles lark.
Thanks, seb
___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev
)

-- 
Manuel Amador (Rudd-O)

Re: [Zope] Non-existing Zope-Security!!!

2000-10-13 Thread knight


Also, consider adding an accessrule. This won't stop them from using
__no_before_traverse__ or _SUPPRESS_ACCESSRULE but it will make it
'appear' there is nothing more than the current level.

knight
[EMAIL PROTECTED]

On Fri, 13 Oct 2000, Tim Cook wrote:

> Stephan Goeldi wrote:
> > 
> > OK let me state that I don't think so (subject line). I had to choose this
> > subject, because it seems to me, that nobody was interested in my previous
> > attempts to get information about my problem. So here is my newbie (?)
> > question again:
> > 
> > I have the folders:
> > 
> > /www/folder1
> > /www/folder2
> > 
> > Apache redirects domain1 to folder1 and domain2 to folder2.
> > The manager of folder1 is able to browse to /www and see what folders exist
> > there. He shouldn't, because he only exists in the acl_user of /www/folder1.
> > He even can look into the folder /www/folder2 (but not into the objects).
> > 
> > Is it possible to disable the access for the folder1-manager above folder1?
> > It doesn't seem to me. If it really isn't possible, there is no security at
> > all for ISP uses of Zope. But I'm sure, there should be a possibility.
> > 
> > I even created a local role in /www/folder1 too. Even with the local role I
> > can browse /www and /www/folder2!
> > 
> > Any suggestions?
> 
> Create the user in the top level folder that they are allowed to
> see. 
> Not in the /www folder
> 
> HTH,
> -- Tim Cook --
> Cook Information Systems | Office: (901) 884-4126 8am-5pm CDT
> Free Practice Management 
> Project Coordinator http://www.freepm.org
> OSHCA Founding Supporter http://www.oshca.org
> 
> ___
> Zope maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
> 
> 


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Non-existing Zope-Security!!!

2000-10-13 Thread Joachim Werner


> Create the user in the top level folder that they are allowed to
> see. 
> Not in the /www folder

That alone wouldn't do it if we are talking about "seeing the objects", e.g. by
calling the "objectIds" method in the root folder. You also have to switch off
the root folder's "Access contents information" rights for Anonymous and the
sub-tree managers. I think Zope security is really a bit weak here because the
standard settings are NOT blocking "Access contents information" and blocking
it makes programming a bit harder ...

BUT: You CAN configure it correctly if you want to.

Joachim

-- 
Iuveno - Smart Communication


Joachim Werner


_

Marie-Curie-Straße 6
85055 Ingolstadt

Tel.: +49 841/90 14-325 (Fax -322)
Mobil: +49 179/39 60 327
E-Mail: [EMAIL PROTECTED][EMAIL PROTECTED]
WWW: www.iuveno.de/www.iuveno-net.de



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Non-existing Zope-Security!!!

2000-10-13 Thread Tim Cook


Stephan Goeldi wrote:
> 
> OK let me state that I don't think so (subject line). I had to choose this
> subject, because it seems to me, that nobody was interested in my previous
> attempts to get information about my problem. So here is my newbie (?)
> question again:
> 
> I have the folders:
> 
> /www/folder1
> /www/folder2
> 
> Apache redirects domain1 to folder1 and domain2 to folder2.
> The manager of folder1 is able to browse to /www and see what folders exist
> there. He shouldn't, because he only exists in the acl_user of /www/folder1.
> He even can look into the folder /www/folder2 (but not into the objects).
> 
> Is it possible to disable the access for the folder1-manager above folder1?
> It doesn't seem to me. If it really isn't possible, there is no security at
> all for ISP uses of Zope. But I'm sure, there should be a possibility.
> 
> I even created a local role in /www/folder1 too. Even with the local role I
> can browse /www and /www/folder2!
> 
> Any suggestions?

Create the user in the top level folder that they are allowed to
see. 
Not in the /www folder

HTH,
-- Tim Cook --
Cook Information Systems | Office: (901) 884-4126 8am-5pm CDT
Free Practice Management 
Project Coordinator http://www.freepm.org
OSHCA Founding Supporter http://www.oshca.org

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Non-existing Zope-Security!!!

2000-10-13 Thread Stephan Goeldi


OK let me state that I don't think so (subject line). I had to choose this 
subject, because it seems to me, that nobody was interested in my previous 
attempts to get information about my problem. So here is my newbie (?) 
question again:

I have the folders:

/www/folder1
/www/folder2

Apache redirects domain1 to folder1 and domain2 to folder2.
The manager of folder1 is able to browse to /www and see what folders exist 
there. He shouldn't, because he only exists in the acl_user of /www/folder1. 
He even can look into the folder /www/folder2 (but not into the objects).

Is it possible to disable the access for the folder1-manager above folder1? 
It doesn't seem to me. If it really isn't possible, there is no security at 
all for ISP uses of Zope. But I'm sure, there should be a possibility.

I even created a local role in /www/folder1 too. Even with the local role I 
can browse /www and /www/folder2!

Any suggestions?

TIA
-goe-

_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security quickie

2000-10-09 Thread Seb Bacon


Does Zope security provide a way of restricting what objects are listed to
an authenticated user inside the Zope 'manage' interface?  I'm getting my
head all twisted up over this security / proxy roles /local roles lark.

Thanks, seb


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Import & Zope Security

2000-09-11 Thread Chris Withers

Martijn Pieters wrote:
> No it isn't. Web access to class instances is handled by permissions.
> Unpickling will cause class instantiation in the python process, where you
> have no control over what get's created. 

Surely you could pipe this process through the Zope security process?

> You can create a custom
> unpickling class, but one that would handle the Zope range of objects
> would be, in Jim's words "tricky".

...then again, maybe not :-(

*sigh*

Chris :-)

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security Problems upgrading to Zope 2.2.0

2000-08-21 Thread Aleksander Salwa

On Mon, 21 Aug 2000, Stefan Bambach wrote:

> class test:
>   def __init__(self):
> pass
>   def sayhello(self):
> return "hello"
> 
> def initialize(self):
>   return test()
> 

> 
> What's wrong with this code ?

Try to add this attribute to your class 'test':

__allow_access_to_unprotected_subobjects__ = 1

[EMAIL PROTECTED]

/--\
| `long long long' is too long for GCC |
\--/

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security Problems upgrading to Zope 2.2.0

2000-08-21 Thread Stefan Bambach


Hello zope-users,

I upgraded my Zope application from version 2.1.3 to 2.2.0 . Now I
have problems with the new security system.

e.g. 'test.py' in Extensions directory:

class test:
  def __init__(self):
pass
  def sayhello(self):
return "hello"

def initialize(self):
  return test()

Now I created an external method that is named 'test', it's function
name is 'initialize' and the module's name is 'test'.

The code



produces an 'Unauthorized: sayhello' after I canceled the requester.

Of course this is only a test function, because my real functions
didn't work, too.

All checkboxes of the external method 'test' are checked. So all users
should have the rights to access this method. Right ?

What's wrong with this code ?



bye.
Stefan Bambach



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] SECURITY: Zope security alert and hotfix product...

2000-08-10 Thread Brian Lloyd


Hi all - 

  We have recently become aware of an important security issue 
  that affects all released Zope versions prior to 2.2.1 beta 1.

  The issue involves the fact that the getRoles method of user objects 
  contained in the default UserFolder implementation returns a mutable 
  Python type. Because the mutable object is still associated with the 
  persistent User object, users with the ability to edit DTML could 
  arrange to give themselves extra roles for the duration of a single 
  request by mutating the roles list as a part of the request
processing. 

  While we know of no instances of this issue being used to exploit a 
  site, we *highly* recommend that any Zope site running versions of 
  Zope prior to 2.2.1 have this hotfix product installed to mitigate 
  the issue if the site is accessible by untrusted users who have DTML 
  editing privileges.

  A hotfix for this issue in the form of an add-on Zope product has been

  made available on zope.org. To install the hotfix, simply download and

  install the package as you would any other Zope add-on product
(extract 
  it in the root of your Zope installation). Remember to restart your
Zope 
  installation for the hotfix to take effect. 
  
 
http://www.zope.org/Products/Zope/Hotfix_08_09_2000/Hotfix_08_09_2000.tg
z

  The hotfix will work for all versions of Zope 2.0 and higher. The 
  forthcoming Zope 2.2.1 beta 1 release will contain the fix for this 
  issue, and you be able to uninstall the hot fix after upgrading 
  to 2.2.1 beta 1 or higher (though nothing bad will happen if you 
  don't uninstall it).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope security: manager role unable to add class instances

2000-08-10 Thread Darran Edmundson



Imagine a Zope-hosting ISP with a single ZODB.
A user Daz signs up for webhosting and sends
in his custom products and Zope tree.  The ISP
installs said data as follows:

root
   Control_Panel
  Products
 dazProduct
dazClass1
dazClass2
acl_users (user daz with Manager role)

   subroot (daz's Zope tree)
  acl_users (user daz with Manager role)
  index_html

The site works fine.  The problem is that daz
is unable to create new instances of his
classes - the add methods lack the permission
to call manage_editProperties.  In contrast,
"superuser" *is* able to add instances.  I can
get around this problem my giving the constructors
the proxy role of Manager, but I'd really like
to understand why this is happening.  Any
info is much appreciated.

Cheers,
Darran.

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security settings go blank on change!

2000-08-09 Thread Martijn Pieters

On Wed, Aug 09, 2000 at 10:08:20AM -0700, Paul Abrams wrote:
> Yikes!  Every time I try to change my security settings all
> of the checkboxes become unset when I save the form!
> 
> 1. Open up any "Security" tab
> 2. Change a checkbox
> 3. Save the form
> 4. Click 'Ok'
> 5. ALL of the checkboxes are empty!
> 
> Has anbody else seen this problem? I have a workaround, but
> I'd rather have a permanent solution. Any ideas what this
> could be?
> 
> Workaround:
> I tried to undo the transaction, and saw that
> manage_changePermissions was actually called twice. The
> first call does what it should but the second call wipes
> out all of the checkboxes. Thus, if I undo both
> transactions I'm back to my starting point and if I undo
> just the latest transaction I actually get what I wanted.

What do you actually mean with "3. Save the form", "4. Click 'Ok'"? I
generally just click 'Ok'. Somehow your browser seems to submit the form twice
for you, once with the correct change and once completely empty.

As this works fine for me I must assume your browser does something funny.

-- 
Martijn Pieters
| Software Engineermailto:[EMAIL PROTECTED]
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
| ZopeStudio: http://www.zope.org/Products/ZopeStudio
-

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security settings go blank on change!

2000-08-09 Thread Paul Abrams


Yikes!  Every time I try to change my security settings all
of the checkboxes become unset when I save the form!

1. Open up any "Security" tab
2. Change a checkbox
3. Save the form
4. Click 'Ok'
5. ALL of the checkboxes are empty!

Has anbody else seen this problem? I have a workaround, but
I'd rather have a permanent solution. Any ideas what this
could be?

Workaround:
I tried to undo the transaction, and saw that
manage_changePermissions was actually called twice. The
first call does what it should but the second call wipes
out all of the checkboxes. Thus, if I undo both
transactions I'm back to my starting point and if I undo
just the latest transaction I actually get what I wanted.

Thanks in advance,
-Paul

__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security (proxy role??)

2000-08-03 Thread Sven Hohage


Hi,
I've got two questions.
1.Is Zope 2.2.0 masking the length of the passwords?
2. the more important->
I'm using a method to change properties by form. The user i.e. Tim has
the role manager in the highest user_folder and acquisition is kept but
Zope tells me that the user is not authorized.  Why???
 Thanks!




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security Problem

2000-08-03 Thread Sven Hohage


Hi,
I've got two questions.
1.Is Zope 2.2.0 masking the length of the passwords?
2. the more important->
I'm using a method to change properties by form. The user i.e. Tim has
the role manager in the highest user_folder and acquisition is kept but
Zope tells me that the user is not authorized.  Why???
 Thanks!


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] security model

2000-07-28 Thread Olivier Tanguy


authentification request bug and fail

when running an sql method through an external method (python 1.5.42+) in a
dtml-tree tag
 zope(2.2dev) asks me to login again, what i do without success. Indeed, all
separate components work fine.

Any idea ?
Thanks


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security problem i 2.2 final - Bug?

2000-07-19 Thread Peter Arvidsson


Thats what I did .. same problem.

However when I installed a new 2.2 final and did exactly the same (same stuff, same
permissions) then it worked. There must be some problem with the upgrading...

Peter

Pierre Rougier skrev:

> Hi
>
> Just to see... try to give all the proxy roles to your method... (manager, owner
> and anonymous)... I had this problem, and it work like that
>
> Pierre
>
> Peter Arvidsson wrote:
>
> > Hi
> >
> > Thanks for the tip. I gave the method the correct roles but unfortunatelty the
> > problem still exists.
> >
> > Peter
> >
> > Pierre Rougier skrev:
> >
> > > Hi  :)
> > > I may say something idiot, but...
> > >
> > > Did u try to change the proxy roles of the method which call the fonction
> > > manage_editProperties?
> > > (in case of: to do it, edit your method and choose proxy at the top of the
> > > window), u can edit the role of your method.
> > >
> > > Piotr.
> > >
> > > Peter Arvidsson wrote:
> > >
> > > > I have a very anoying problem...
> > > >
> > > > I have created a news-product and have several news-objects. Now I want
> > > > to change the properties of a news-object. This is my code for that:
> > > >
> > > > 
> > > >  > > >  header=REQUEST['header'],
> > > >  date=REQUEST['date'],
> > > >  author=REQUEST['author'],
> > > >  email=REQUEST['mail'],
> > > >  text=REQUEST['text'],
> > > >  )">
> > > >
> > > >   
> > > >
> > > > 'newsEntries' is the folder where I store my news-objects.
> > > > 'objId' is the id of the product as a string.
> > > >
> > > > Everytime I try to change properties a login prompt is displayed. The
> > > > problem is that I get access denied whoever I login as. My user has the
> > > > same permissions as the superuser and even when I login as the superuser
> > > > I get access denied. I have changed so that I am the owner of both the
> > > > product 'news' and the news objects, the methods that I use and the
> > > > folders that my objects and methods are in. I really dont know what this
> > > > problem could be. I thought these problems was supposed to be resolved
> > > > for 2.2 final but maybe there are some bugs left? I dont get this
> > > > problem when I run the code in 2.1.6.
> > > >
> > > > I have also tried different possibilities in the code, I have both used
> > > > changeProperties and editProperties. I have also tried to write the name
> > > > of the propertysheet instead of '[1]' but everything renders the same
> > > > problem.
> > > >
> > > > Really beacause I am the owner of everything and I have the same rights
> > > > as the superuser I dont think I should be "unauthorized" to change my
> > > > objects. I have no problem to add and to delete these objects so why
> > > > cant I change them?
> > > >
> > > > ___
> > > > Zope maillist  -  [EMAIL PROTECTED]
> > > > http://lists.zope.org/mailman/listinfo/zope
> > > > **   No cross posts or HTML encoding!  **
> > > > (Related lists -
> > > >  http://lists.zope.org/mailman/listinfo/zope-announce
> > > >  http://lists.zope.org/mailman/listinfo/zope-dev )
> >
> > ___
> > Zope maillist  -  [EMAIL PROTECTED]
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security problem i 2.2 final - Bug?

2000-07-19 Thread Peter Arvidsson


Hi

Thanks for the tip. I gave the method the correct roles but unfortunatelty the
problem still exists.

Peter

Pierre Rougier skrev:

> Hi  :)
> I may say something idiot, but...
>
> Did u try to change the proxy roles of the method which call the fonction
> manage_editProperties?
> (in case of: to do it, edit your method and choose proxy at the top of the
> window), u can edit the role of your method.
>
> Piotr.
>
> Peter Arvidsson wrote:
>
> > I have a very anoying problem...
> >
> > I have created a news-product and have several news-objects. Now I want
> > to change the properties of a news-object. This is my code for that:
> >
> > 
> >  >  header=REQUEST['header'],
> >  date=REQUEST['date'],
> >  author=REQUEST['author'],
> >  email=REQUEST['mail'],
> >  text=REQUEST['text'],
> >  )">
> >
> >   
> >
> > 'newsEntries' is the folder where I store my news-objects.
> > 'objId' is the id of the product as a string.
> >
> > Everytime I try to change properties a login prompt is displayed. The
> > problem is that I get access denied whoever I login as. My user has the
> > same permissions as the superuser and even when I login as the superuser
> > I get access denied. I have changed so that I am the owner of both the
> > product 'news' and the news objects, the methods that I use and the
> > folders that my objects and methods are in. I really dont know what this
> > problem could be. I thought these problems was supposed to be resolved
> > for 2.2 final but maybe there are some bugs left? I dont get this
> > problem when I run the code in 2.1.6.
> >
> > I have also tried different possibilities in the code, I have both used
> > changeProperties and editProperties. I have also tried to write the name
> > of the propertysheet instead of '[1]' but everything renders the same
> > problem.
> >
> > Really beacause I am the owner of everything and I have the same rights
> > as the superuser I dont think I should be "unauthorized" to change my
> > objects. I have no problem to add and to delete these objects so why
> > cant I change them?
> >
> > ___
> > Zope maillist  -  [EMAIL PROTECTED]
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Security problem i 2.2 final - Bug?

2000-07-19 Thread Pierre Rougier


Hi  :)
I may say something idiot, but...

Did u try to change the proxy roles of the method which call the fonction
manage_editProperties?
(in case of: to do it, edit your method and choose proxy at the top of the
window), u can edit the role of your method.

Piotr.

Peter Arvidsson wrote:

> I have a very anoying problem...
>
> I have created a news-product and have several news-objects. Now I want
> to change the properties of a news-object. This is my code for that:
>
> 
>   header=REQUEST['header'],
>  date=REQUEST['date'],
>  author=REQUEST['author'],
>  email=REQUEST['mail'],
>  text=REQUEST['text'],
>  )">
>
>   
>
> 'newsEntries' is the folder where I store my news-objects.
> 'objId' is the id of the product as a string.
>
> Everytime I try to change properties a login prompt is displayed. The
> problem is that I get access denied whoever I login as. My user has the
> same permissions as the superuser and even when I login as the superuser
> I get access denied. I have changed so that I am the owner of both the
> product 'news' and the news objects, the methods that I use and the
> folders that my objects and methods are in. I really dont know what this
> problem could be. I thought these problems was supposed to be resolved
> for 2.2 final but maybe there are some bugs left? I dont get this
> problem when I run the code in 2.1.6.
>
> I have also tried different possibilities in the code, I have both used
> changeProperties and editProperties. I have also tried to write the name
> of the propertysheet instead of '[1]' but everything renders the same
> problem.
>
> Really beacause I am the owner of everything and I have the same rights
> as the superuser I dont think I should be "unauthorized" to change my
> objects. I have no problem to add and to delete these objects so why
> cant I change them?
>
> ___
> Zope maillist  -  [EMAIL PROTECTED]
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Security problem i 2.2 final - Bug?

2000-07-19 Thread Peter Arvidsson


I have a very anoying problem...

I have created a news-product and have several news-objects. Now I want
to change the properties of a news-object. This is my code for that:




  

'newsEntries' is the folder where I store my news-objects.
'objId' is the id of the product as a string.

Everytime I try to change properties a login prompt is displayed. The
problem is that I get access denied whoever I login as. My user has the
same permissions as the superuser and even when I login as the superuser
I get access denied. I have changed so that I am the owner of both the
product 'news' and the news objects, the methods that I use and the
folders that my objects and methods are in. I really dont know what this
problem could be. I thought these problems was supposed to be resolved
for 2.2 final but maybe there are some bugs left? I dont get this
problem when I run the code in 2.1.6.

I have also tried different possibilities in the code, I have both used
changeProperties and editProperties. I have also tried to write the name
of the propertysheet instead of '[1]' but everything renders the same
problem.

Really beacause I am the owner of everything and I have the same rights
as the superuser I dont think I should be "unauthorized" to change my
objects. I have no problem to add and to delete these objects so why
cant I change them?




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] SECURITY ROLES and < DTML-IN>

2000-07-17 Thread Theodore Patrick


Brian,

Thanks a ton. The patch worked perfectly! As it turns out I was using ODBC
with Oracle. Everything works great. Rendering results perfectly.

Thanks for the prompt response. As always!

Theodore E. Patrick
Ishophere.com

-Original Message-
From: Brian Lloyd [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 17, 2000 10:27 AM
To: 'Theodore Patrick'; '[EMAIL PROTECTED]'
Subject: RE: [Zope] SECURITY ROLES and < DTML-IN>


> I am having trouble rendering a  in ZOPE 2.2.0 to any user
> regardless of roles.
> 
> I have allocated the proper rights to all objects used and 
> nothing happens.
> The  will not let any user view its contents.

Theodore - 

I bet you're running into the same problem as the 
folks using the ODBC adaptor. I've attached the post 
I made addressing this a few minutes ago.

If this fixes your problem, could you send a note to 
the zope-list and let the folks there know that the fix 
works for the Oracle DA too? (I'm going out of town today, 
so I won't be able to forward it if you only reply to me)

Thanks!

> Hi guys - 
> 
> For those of you (I've mostly heard ODBC adapter users) 
> having authorization problems with your SQL methods, heres
> the scoop:
> 
> Database connections use one of two classes in the 
> framework for wrapping up result data returned from 
> queries. One of those classes (that understands results 
> in RDB format) was missing a required security assertion. 
> 
> The results returned by the ODBC adapter were bitten by 
> this - probably there are other adapters that could 
> be affected.
> 
> I've attached a patch file for the file:
> lib/python/Shared/DC/ZRDB/RDB.py
> 
> ...as well as an updated version of the whole file (since 
> I know a lot of you will be on Windows w/o patch :) Either 
> patch or replace the file and restart Zope to fix the 
> problem.
> 
> This is also checked in for a 2.2.1 release that will 
> probably happen after a few weeks when enough people 
> have upgraded to shake out any other problems.
> 


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] SECURITY ROLES and < DTML-IN>

2000-07-17 Thread Brian Lloyd


> I am having trouble rendering a  in ZOPE 2.2.0 to any user
> regardless of roles.
> 
> I have allocated the proper rights to all objects used and 
> nothing happens.
> The  will not let any user view its contents.

Theodore - 

I bet you're running into the same problem as the 
folks using the ODBC adaptor. I've attached the post 
I made addressing this a few minutes ago.

If this fixes your problem, could you send a note to 
the zope-list and let the folks there know that the fix 
works for the Oracle DA too? (I'm going out of town today, 
so I won't be able to forward it if you only reply to me)

Thanks!

> Hi guys - 
> 
> For those of you (I've mostly heard ODBC adapter users) 
> having authorization problems with your SQL methods, heres
> the scoop:
> 
> Database connections use one of two classes in the 
> framework for wrapping up result data returned from 
> queries. One of those classes (that understands results 
> in RDB format) was missing a required security assertion. 
> 
> The results returned by the ODBC adapter were bitten by 
> this - probably there are other adapters that could 
> be affected.
> 
> I've attached a patch file for the file:
> lib/python/Shared/DC/ZRDB/RDB.py
> 
> ...as well as an updated version of the whole file (since 
> I know a lot of you will be on Windows w/o patch :) Either 
> patch or replace the file and restart Zope to fix the 
> problem.
> 
> This is also checked in for a 2.2.1 release that will 
> probably happen after a few weeks when enough people 
> have upgraded to shake out any other problems.
> 


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





 RDB.py
 RDB.py.patch

[Zope] SECURITY ROLES and < DTML-IN>

2000-07-17 Thread Theodore Patrick


I am having trouble rendering a  in ZOPE 2.2.0 to any user
regardless of roles.

I have allocated the proper rights to all objects used and nothing happens.
The  will not let any user view its contents.



I am using an  in a DTML Document to render the contents of an
SQL_Method from and Oracle Database.
There are 3 objects.

1. Database Connection(ORACLE) - Working and can run test. OK

2. SQL_Method(VIEW_METHOD)- Working and can see results when run.
SQL: select id, v_id vid, item_name name, url from item
The SQL method returns columns: id, vid, name, url as expected. OK

3. DTML Document - Works fine with an IN that renders folder properties.
Change the Source of the 
, , ,  


When used it prompts the user to login - REGARDLESS OF CURRENT LOGIN and
returns the following error.

Traceback (innermost last):
  File C:\PROGRA~1\island8\lib\python\ZPublisher\Publish.py, line 222, in
publish_module
  File C:\PROGRA~1\island8\lib\python\ZPublisher\Publish.py, line 187, in
publish
  File C:\PROGRA~1\island8\lib\python\ZPublisher\Publish.py, line 171, in
publish
  File C:\PROGRA~1\island8\lib\python\ZPublisher\mapply.py, line 160, in
mapply
(Object: view)
  File C:\PROGRA~1\island8\lib\python\ZPublisher\Publish.py, line 112, in
call_object
(Object: view)
  File C:\PROGRA~1\island8\lib\python\OFS\DTMLMethod.py, line 167, in
__call__
(Object: view)
  File C:\PROGRA~1\island8\lib\python\DocumentTemplate\DT_String.py, line
502, in __call__
(Object: view)
  File C:\PROGRA~1\island8\lib\python\DocumentTemplate\DT_In.py, line 602,
in renderwb
(Object: view_method)


Things I have tried.

1. Opening up security all the way on all objects. Doesn't work. It
continues to ask me to log-in.
2. Proxy the DTML Documents ROLE to a higher role for the SQL_METHOD. Fails
just as before.

Is this a bug? Can anyone else confirm this.

PLATFORM: WINDOWS NT 4
ZOPE: 2.2.0 Final Release. 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: [Zope-dev] Zope security alert and 2.1.7 update [important]

2000-06-16 Thread Gregor Hoffleit

Brian,

from the announcement, it sounded like the only change from 2.1.6 to 2.1.7
was the fix to DT_String. Zope-2.1.7-src/doc/CHANGES.txt only lists:

  Bugs Fixed

- An inadequately protected base class method made DTMLDocuments 
  and DTMLMethods vulnerable to having their contents changed by 
  unauthorized users.

But when I diff 2.1.6 and 2.1.7, I get modifications in 29 files, ranging
from MailHost to ZLogger and so on.

I haven't yet groked the patches to 2.1.7 suggested by Adam, but some of
them look like fixes to things that were broken from 2.1.6 to 2.1.7. Judging
from the announcement, I would not have expected that 2.1.7 could break
anything.

Therefore a little plea: Please try to keep the CHANGES.txt accurate and
comprehensive; that's most urgent for security releases like this IMHO: Most
people will install them without much preparation.

thanks,
Gregor

On Thu, Jun 15, 2000 at 05:26:18PM -0400, Brian Lloyd wrote:
> A Zope 2.1.7 release has been made that resolves this issue for 
> Zope 2.1.x users. This release is available from Zope.org:
>   
>   http://www.zope.org/Products/Zope/2.1.7/
> 
> A patch is also available if it is not feasible to update your 
> Zope installation at this time (the patch is based on 2.1.6):
> 
>   http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope security alert and 2.1.7 update [important]

2000-06-15 Thread Brian Lloyd


Hello all,


We have recently become aware of an important security issue 
that affects all released Zope versions including the recent 
2.2 beta 1 release.

The issue involves an inadequately protected method in one of 
the base classes in the DocumentTemplate package that could allow 
the contents of DTMLDocuments or DTMLMethods to be changed 
remotely or through DTML code without forcing proper user 
authorization. 

A Zope 2.1.7 release has been made that resolves this issue for 
Zope 2.1.x users. This release is available from Zope.org:
  
  http://www.zope.org/Products/Zope/2.1.7/

A patch is also available if it is not feasible to update your 
Zope installation at this time (the patch is based on 2.1.6):

  http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

If you are evaluating any of the recent 2.2 alpha or beta releases, 
you should apply the patch noted above if your site is accessible 
by untrusted clients. A forthcoming 2.2 beta 2 release will contain 
the fix for this issue.

While we know of no instances of this issue being used to exploit a 
site, we *highly* recommend that any Zope site that is accessible by 
untrusted clients take the appropriate mitigation steps immediately.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] security issues

2000-06-04 Thread Ragnar Beer


>  > I will soon have a Zope-site ready to go online. How can I make shure
>  > that I did everything (concerning Zope) to stop intruders? Where can
>  > I find information about protecting a Zope-site? Has anyone had
>  > security problems so far?
>
>Easiest (most brutal?) fix I've found - hide Zope behind an Apache,
>and prohibit access to any URLs of the form .*/manage.*

This is what I'm doing at the moment (more or less) but your question 
made me think. Actually this is an example of "allow anything that 
isn't explicitly denied" which is not a very good policy if you want 
security. I remember (but - darn - can't remember where I have it) a 
posting that said that anyone can easily see the names of all objects 
in a folder which is nice intelligence gathering.
I guess it would be much better (and even more brutal;) to deny 
everything that isn't allowed explicitly. I'll try that later. I 
think I'll have to allow .*_html and .*_img for the http protocol 
plus all the .*/manage.* stuff for https and perhaps also make some 
(not so secure) restrictions based on ip adresses.

--Ragnar



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

1 2 >

1 - 100 of 102 matches

Mail list logo