Re: [Zope] Script (Python) insecure ?

2008-08-16 Thread Dieter Maurer
M.-A. Lemburg wrote at 2008-8-12 13:41 +0200: ... While I have not yet been able to break out of the restricted environment without help from installed products, there are a few denial-of-service attacks which can easily be deployed on sites allowing adding Python Scripts to a user folder: 1.

Re: [Zope] Script (Python) insecure ?

2008-08-16 Thread M.-A. Lemburg
On 2008-08-16 08:00, Dieter Maurer wrote: M.-A. Lemburg wrote at 2008-8-12 13:41 +0200: ... While I have not yet been able to break out of the restricted environment without help from installed products, there are a few denial-of-service attacks which can easily be deployed on sites allowing

Re: [Zope] Script (Python) insecure ?

2008-08-16 Thread Andreas Jung
--On 16. August 2008 13:11:13 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote: In my experience, attempts to create a sandbox that protects sufficiently against unwanted resource usage are either too restrictive and slow to make them useful or have problems preventing DOS attacks. I think you

Re: [Zope] Script (Python) insecure ?

2008-08-16 Thread M.-A. Lemburg
On 2008-08-16 13:39, Andreas Jung wrote: --On 16. August 2008 13:11:13 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote: In my experience, attempts to create a sandbox that protects sufficiently against unwanted resource usage are either too restrictive and slow to make them useful or have

Re: [Zope] Script (Python) insecure ?

2008-08-16 Thread Tres Seaver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 M.-A. Lemburg wrote: On 2008-08-16 08:00, Dieter Maurer wrote: M.-A. Lemburg wrote at 2008-8-12 13:41 +0200: ... While I have not yet been able to break out of the restricted environment without help from installed products, there are a few

Re: [Zope] Script (Python) insecure ?

2008-08-16 Thread Chris Withers
Andreas Jung wrote: BTW: The reason why I had a look at these was that Chris Withers mentioned at EuroPython that they are currently causing delays in the Python 2.5 adoption (or at least are one of the reasons for them). Is Chris' talk somewhere online? Sorry, they were just quick

Re: [Zope] Script (Python) insecure ?

2008-08-13 Thread Martijn Jacobs
Thanks Andreas, for creating a hotfix for this issue! --On 12. August 2008 17:14:15 + Maurits van Rees [EMAIL PROTECTED] wrote: Andreas Jung, on 2008-08-12: After rough test: it seems to work for Zope trunk, 2.10 and 2.11 but has a failure for Zope 2.8. I forgot to mention that the

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg
Sorry about the posting. I should have known better not to use a public mailing list for these sort of posts. Apologies, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 12 2008) Python/Zope Consulting and Support ...

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
*sigh* I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public. --On 12. August 2008 13:41:04 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote: Hello, 1. Attack: Put this into a Script (Python) object and run it:

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Garito
The same question again and again As a Zope user I prefer to know as soon as possible if Zope has security problems like those Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public I think 2 weeks is a very correct period to solve a problem

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
--On 12. August 2008 14:16:44 +0200 Andreas Jung [EMAIL PROTECTED] wrote: *sigh* I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public. --On 12. August 2008 13:41:04 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote:

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
--On 12. August 2008 16:05:47 +0200 Andreas Jung [EMAIL PROTECTED] wrote: --On 12. August 2008 14:16:44 +0200 Andreas Jung [EMAIL PROTECTED] wrote: *sigh* I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public.

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Philipp von Weitershausen
Thanks a lot for taking care of these issues, Andreas! Andreas Jung wrote: --On 12. August 2008 16:05:47 +0200 Andreas Jung [EMAIL PROTECTED] wrote: --On 12. August 2008 14:16:44 +0200 Andreas Jung [EMAIL PROTECTED] wrote: *sigh* I wished that both exploits were reported to

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
--On 12. August 2008 17:19:54 +0200 Andreas Jung [EMAIL PROTECTED] wrote: I created a preliminary hotfix http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view After rough test: it seems to work for Zope trunk, 2.10 and 2.11 but has a failure for Zope 2.8. I forgot to mention

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
--On 12. August 2008 17:31:06 +0200 Andreas Jung [EMAIL PROTECTED] wrote: --On 12. August 2008 17:19:54 +0200 Andreas Jung [EMAIL PROTECTED] wrote: I created a preliminary hotfix http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view After rough test: it seems to work for Zope

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Tres Seaver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Garito wrote: The same question again and again As a Zope user I prefer to know as soon as possible if Zope has security problems like those Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Maurits van Rees
Andreas Jung, on 2008-08-12: After rough test: it seems to work for Zope trunk, 2.10 and 2.11 but has a failure for Zope 2.8. I forgot to mention that the hotfix also seems to work for Zope 2.9. (third-party confirmations are highly appreciated). Update: the hotfix although works for Zope

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Maurits van Rees
Maurits van Rees, on 2008-08-12: That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz Oh, that tarball contains a .svn directory... I took the liberty of committing a change to the text of the raised ValueError to make it a proper sentence. Old: SystemExit can not raised

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg
On 2008-08-12 18:04, Tres Seaver wrote: Garito wrote: The same question again and again As a Zope user I prefer to know as soon as possible if Zope has security problems like those Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
--On 12. August 2008 19:38:16 +0200 M.-A. Lemburg [EMAIL PROTECTED] wrote: On 2008-08-12 18:04, Tres Seaver wrote: Garito wrote: The same question again and again As a Zope user I prefer to know as soon as possible if Zope has security problems like those Perhaps the correct way will

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andrew Milton
+---[ Andreas Jung ]-- | | My conclusion after almost 9 years with Zope: PythonScripts and trusted | code was a good and nice feature in the early days of Zope. The future | is clearly trusted code in all its flavors. RestrictedPython, | through-the-web editing (ZMI) and

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung
--On 12. August 2008 17:14:15 + Maurits van Rees [EMAIL PROTECTED] wrote: Andreas Jung, on 2008-08-12: After rough test: it seems to work for Zope trunk, 2.10 and 2.11 but has a failure for Zope 2.8. I forgot to mention that the hotfix also seems to work for Zope 2.9. (third-party

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg
On 2008-08-12 20:49, Andreas Jung wrote: --On 12. August 2008 17:14:15 + Maurits van Rees [EMAIL PROTECTED] wrote: Andreas Jung, on 2008-08-12: After rough test: it seems to work for Zope trunk, 2.10 and 2.11 but has a failure for Zope 2.8. I forgot to mention that the hotfix also