Now that we've reached closure on some of the outstanding security
issues in Zope there's a lot of stuff in the Collector that needs to
Brian Lloyd wrote:
> - For loops, list comprehensions, and other iterations in untrusted code
> - List and dictionary instance methods in untrusted code
> - Use of import as in untrusted code
> - Use of min, max, enumerate, iter, and sum in untrusted code
> - Broken binding validation in untrusted code
> - Unpacking in untrusted code
> - PythonScript class security not initialized properly
> - PropertyManager 'lines' and 'tokens' properties stored as list
> - Configuration file did not override security policy selection
AFAIK there weren't any public bugs related to these problems, except
for maybe issue #28 which can probably be taken out of deferred status
and placed into resolved now.
> - Unicode passed to RESPONSE.write() could shutdown process
I could have sworn there was a bug report related to this but I can't
find it now.
> - XML-RPC instance marshaling may disclose protected values
issue #410, I can't comment on the effectiveness of this solution, I
removed XML-RPC from my tree ages ago, I am currious if anyone has a
test-case/exploit for this issue though
> - DTML tag dtml-tree may allow DoS attack
issue #604 can be marked resolved now
> - Potential cross-site scripting problem in default ZSearch interface
issue #734 can be marked resolved now
> - Proxy rights on DTMLMethods transferred via acquisition
I believe this means issue #743 and issue #977 can be resolved now.
Actually, #977 already was rejected IIRC but its never been marked as
public which is rather irritating.
> - Improper security assertions on DTMLDocument objects
probably fixes issue #865, but because Zope-HEAD doesn't actually run
right now, due to a myriad of other bugs, I actually haven't tested it
> - Inadequate security assertions on admin "find" functions
issue #1000 can be marked resolved now
The patchset for 813's xss issues seems to have been partially
applied. I still need to update my patch against HEAD for the xss
holes that haven't been closed. I'll post an update to the collector
when its ready.
Jamie Heilman http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
next to you may not be who they appear to be, so take precaution."
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -