-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martijn Pieters wrote: > On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote: > >> So I still wonder if anyone who is ising the REMOTE_USER environment >> variable is aware of a problem and has a solution. > > > Environment-related variables should not be "hackable" from restricted > code. Please file a report in de Zope Collector: > > http://www.zope.org/Collectors/Zope > > You'll need to log in (create a Zope.org account if you don't yet have > one), and make sure you check the 'security related' tickbox.
MJ: Given the discussino here on the list already, *don't* tick that box, as it will only make it harder to address the issue. Cliff: The 'environ', 'form', 'taintedform', and 'cookies' attributes of ZPublisher's HTTPRequest are simple Python dicts, and hence can be modified by untrusted code (I thought they were instances of a derived, read-only class). If this is an issue for third-party code (such as your user folder), then you likely need to monkey-patch ZPublisher.HTTPRequest to lock them down. I'm attaching a patch which does that for 'environ'; similar tweaks might be required for the others. Given the possibility of a BBB foul (third-party code may *legitimately* expect to be able to mutate one or more of these dicts), we would probably have to land these changes as configurable options, defaulting (at least initially) to the current behavior. Before you chase this down, please verify that the user folder you use *can* be tricked this way: for instance, if the authentication always occurs *before* your script is executed, then the scribbling is only an annoyance, rather than a hole. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEadrg+gerLs4ltQ4RAlLiAKCzSAM7XJcG0+79EQxMYHz7HQQFIQCffDuS 4WIEwx4hoOZ/0c81ZECFIcY= =YQMp -----END PGP SIGNATURE----- _______________________________________________ Zope maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
