Now that we've reached closure on some of the outstanding security issues in Zope there's a lot of stuff in the Collector that needs to be revisited...
Brian Lloyd wrote: > - For loops, list comprehensions, and other iterations in untrusted code > - List and dictionary instance methods in untrusted code > - Use of import as in untrusted code > - Use of min, max, enumerate, iter, and sum in untrusted code > - Broken binding validation in untrusted code > - Unpacking in untrusted code > - PythonScript class security not initialized properly > - PropertyManager 'lines' and 'tokens' properties stored as list > - Configuration file did not override security policy selection AFAIK there weren't any public bugs related to these problems, except for maybe issue #28 which can probably be taken out of deferred status and placed into resolved now. > - Unicode passed to RESPONSE.write() could shutdown process I could have sworn there was a bug report related to this but I can't find it now. > - XML-RPC instance marshaling may disclose protected values issue #410, I can't comment on the effectiveness of this solution, I removed XML-RPC from my tree ages ago, I am currious if anyone has a test-case/exploit for this issue though > - DTML tag dtml-tree may allow DoS attack issue #604 can be marked resolved now > - Potential cross-site scripting problem in default ZSearch interface issue #734 can be marked resolved now > - Proxy rights on DTMLMethods transferred via acquisition I believe this means issue #743 and issue #977 can be resolved now. Actually, #977 already was rejected IIRC but its never been marked as public which is rather irritating. > - Improper security assertions on DTMLDocument objects probably fixes issue #865, but because Zope-HEAD doesn't actually run right now, due to a myriad of other bugs, I actually haven't tested it > - Inadequate security assertions on admin "find" functions issue #1000 can be marked resolved now The patchset for 813's xss issues seems to have been partially applied. I still need to update my patch against HEAD for the xss holes that haven't been closed. I'll post an update to the collector when its ready. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
