hi,

imho i've found a vulnerability in zope 2.10.4 or rather in the newer version of five (1.5.5) used by it. in `Five/browser/ pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the instantiate the page template engine used by five templates, or at least this is what i think it does. the problem with this is that `trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`) gets used to traverse path-expressions using `unrestrictedTraverse` (line 100), which means that i can access say the title of an otherwise private object with a simple
"obj/Title".

i ran into this when one of my doctests[1] failed after upgrading from zope 2.10.3 to 2.10.4, because it could now access the title, even though permissions are explicitly set up beforehand to prevent this. using `createZopeEngine` instead of `createTrustedZopeEngine` didn't help with the test, unfortunately, since this would then raise an `Unauthorized` right away when rendering the `folder_contents` view. however, if i defer resetting the roles of the test user to just before the "click" on 'Delete' (line 35 in the test), the test works again...

i've also just verified this ttw by creating a simple five view and a "file" object. i can successfully access the "title" attribute using the view, even though "view" and "access contents information" permissions are set up so only the "manager" role can access the object. dropping in zope 2.10.3 things work as expected, that is an `Unauthorized` exception is raised.

so, unless i'm completely wrong here, i'd say this is a pretty serious security whole, no?

cheers,


andi

[1] http://dev.plone.org/plone/browser/plone.app.linkintegrity/trunk/ plone/app/linkintegrity/docs/testReferalToPrivateFiles.txt?rev=16003

--
zeidler it consulting - http://zitc.de/ - [EMAIL PROTECTED]
friedelstra├če 31 - 12047 berlin - telefon +49 30 25563779
pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/
sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007


Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to