[Zope] security - am I going crazy ?
Few days ago I found that on site that I'm currently working on, everybody can add DTMLMethods and Documents (and maybe do more, I haven't checked yet, but I think it's bad enough !) by simply entering URL http://www.mysite.com/manage_addDTMLMethod?id=q1title=qq1file=qqq1 After that Zope sends 'Location' header to redirect user to 'manage_main'. That (manage_main) causes 'Unauthorized' exception. But that object 'q1' was added !!! I was thinking that it's a bug in Product. (I use LoginManager, LocalFS, SiteAccess). I decided to upgrade my Zope from 2.2.1 to 2.2.4 and upgrade all Products (one good thing so far ;)). No success. So I did fresh install of Zope 2.2.4, without additional Products, with with brand new Data.fs. Problem persists ! I have default security settings, so Anonymous can't "Add Documents, Images, and Files". Of course user can put any DTML in this object - you know the consequences... (and if the folder where this object is located is owned by high-privileged user, then this object is owned by that user too (through acquisition)). I just checked: I can't add Folders this way. What's going on ?!? Have I found very big security hole, or just I'm going crazy ? :( P.S. Just take a look at object with id "haveIFoundABug" in root level of www.zope.org that I created few seconds ago... [EMAIL PROTECTED] /--\ | `long long long' is too long for GCC | \--/ ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] security - am I going crazy ?
Aleksander Salwa wrote: Few days ago I found that on site that I'm currently working on, everybody can add DTMLMethods and Documents (and maybe do more, I haven't checked yet, but I think it's bad enough !) by simply entering URL http://www.mysite.com/manage_addDTMLMethod?id=q1title=qq1file=qqq1 You're right. It's because of a "legacy" issue. Here's a quick patch that plugs the hole: Index: ProductContext.py === RCS file: /cvs-repository/Zope2/lib/python/App/ProductContext.py,v retrieving revision 1.27 diff -u -r1.27 ProductContext.py --- ProductContext.py 2000/11/20 15:36:35 1.27 +++ ProductContext.py 2000/12/08 18:46:38 @@ -195,7 +195,7 @@ else: name=method.__name__ if not OM.__dict__.has_key(name): setattr(OM, name, method) -setattr(OM, name+'__roles__', pr) +setattr(OM, method.__name__+'__roles__', pr) if type(initial) is tt: name, initial = initial else: name=initial.__name__ This is not perfect, however. I'm working on a better solution. Shane ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
