Hash: SHA1

Martijn Pieters wrote:
> On 5/16/06, Cliff Ford <[EMAIL PROTECTED]> wrote:
>> So I still wonder if anyone who is ising the REMOTE_USER environment
>> variable is aware of a problem and has a solution.
> Environment-related variables should not be "hackable" from restricted
> code. Please file a report in de Zope Collector:
>  http://www.zope.org/Collectors/Zope
> You'll need to log in (create a Zope.org account if you don't yet have
> one), and make sure you check the 'security related' tickbox.


Given the discussino here on the list already, *don't* tick that box, as
it will only make it harder to address the issue.


The 'environ', 'form', 'taintedform', and 'cookies' attributes of
ZPublisher's HTTPRequest are simple Python dicts, and hence can be
modified by untrusted code (I thought they were instances of a derived,
read-only class).  If this is an issue for third-party code (such as
your user folder), then you likely need to monkey-patch
ZPublisher.HTTPRequest to lock them down.  I'm attaching a patch which
does that for 'environ';  similar tweaks might be required for the others.

Given the possibility of a BBB foul (third-party code may *legitimately*
expect to be able to mutate one or more of these dicts), we would
probably have to land these changes as configurable options, defaulting
(at least initially) to the current behavior.

Before you chase this down, please verify that the user folder you use
*can* be tricked this way:  for instance, if the authentication always
occurs *before* your script is executed, then the scribbling is only an
annoyance, rather than a hole.

- --
Tres Seaver          +1 202-558-7113          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to