Hash: SHA1

Jim Fulton wrote:
> On Jul 8, 2006, at 10:09 AM, Andreas Jung wrote:
>> --On 8. Juli 2006 09:53:47 -0400 Jim Fulton <[EMAIL PROTECTED]> wrote:
> ...
>>>>> Tres came up with this sledge hammer because he has no confidence
>>>>> in people's willingness to test and implement this feature properly.
>>>> I am fine with the sledge-hammer. I've never claimed that we need
>>>> to support file insertion and raw support in any way. We don't
>>>> need, we can kick it.
>>>> But removing or disabling a feature because we are possibly
>>>> incompetent would be just ridiculous.
>>> I can live with the sledge hammer for Zope 2.  All I ask for is tests.
>>> If there are tests for each way of invoking reST through the web that
>>> verifies that file-inclusion isn't enabled, then it's alright with
>>> me  if
>>> the sledge hammer is used to make the tests pass.  I won't  tolerate an
>>> untested feature with so much security risk.
>> Yes, someone has to write the tests at some time, soon.
> Right. Before 2.10.
>> As I pointed out the risk is minimal for Zope-apps because you need to
>> have access to the ZMI..
> No, it's not.  Getting at arbitrary files is not acceptable from the ZMI.

Agreed.  Much of Zope's security machinery would be irrelevant if we
didn't care about untrusted users entering more-or-less executable
content TTW.

>> so what are security concerns in this case? And file inclusion won't
>> work if the related code is stripped off...so what are your security
>> concerns in this case?
> I am concerned by the lack of tests.  Whoever created the last hot fix
> was sure the problem was fixed.  They were wrong and we're paying the
> price.

I'll note that tests wouldn't have helped here in the absence of a more
careful security review of docutils:  none of us was aware of the 'raw'
directive as an attack vector for file inclusion until you mentioned it
the other day.

We *did* disable the vector we knew about (the 'include' directive, when
processed from a ZMI-based ReST Document).  I think we can be off the
hook for the Plone version, as I think they don't call the same function
to render the text;  the DTML-based version, OTOH, was our fault (I
didn't know 'fmt="restructured-text"' existed until this week).

- --
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to