I have done some more testing, and despite being told that
request.environ['REMOTE_USER'] is not hackable I have hacked it and can
use the hack to get at otherwise forbidden content. For testing I have
set REMOTE_USER in the zope.conf cgi-environment variable, so I can
quickly change from being one user to another. I have read the
RemoteUserFolder source code - that is what led me to the hack.
The hack allows a user who can write a python script in his own folder
to use it to hack the entire site.
So I still wonder if anyone who is ising the REMOTE_USER environment
variable is aware of a problem and has a solution.
Cliff
Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cliff Ford wrote:
My people want to adopt a single sign-on system for web applications
that is based on the REMOTE_USER environment variable. I have tried out
RemoteUserFolder and also adapted exUserFolder to work similarly.
My problem is that I figured out how a user who has permission to create
python scripts (might work with dtml and page templates too) could
access otherwise forbidden content by making calls that pretend to come
from another user. Has any one else come across this problem and devised
a solution, either in software or organisation?
Problem verified with Zope 2.9.2 and latest RemoteUserFolder
User folders who care need to look at the request's 'environ' dict, e.g.::
remote_user = request.environ['REMOTE_USER'] # not hackable
rather than the default one where untrusted code can scribble::
remote_user = request['REMOTE_USER'] # hackable
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 [EMAIL PROTECTED]
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn
lPXu2KJoCLtTOSTyUJTIJ24=
=3r0r
-----END PGP SIGNATURE-----
_______________________________________________
Zope maillist - [email protected]
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
_______________________________________________
Zope maillist - [email protected]
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
