This is just to report that this issue is resolved (for me). Tres Seaver kindly provided a patch for that makes the environ dictionary immutable (appended below for those in a similar position). This may have adverse consequences for applications that rely on existing behaviour and Tres has recommended that it would be better to harden the User Folder code. In our case we might also be able to encrypt the remote Username. Once again, thanks to Tres and other list members, who are a wonderful resource.


Cliff Ford wrote:
My people want to adopt a single sign-on system for web applications that is based on the REMOTE_USER environment variable. I have tried out RemoteUserFolder and also adapted exUserFolder to work similarly.

My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation?

Problem verified with Zope 2.9.2 and latest RemoteUserFolder.

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

The Patch:

Index: lib/python/ZPublisher/
--- lib/python/ZPublisher/        (revision 68139)
+++ lib/python/ZPublisher/        (working copy)
@@ -63,6 +63,16 @@
 class NestedLoopExit( Exception ):

+class ReadOnlyDict(dict):
+    def __setitem__(self, key, value):
+        raise TypeError, 'Immutable'
+    def __delitem__(self, key):
+        raise TypeError, 'Immutable'
+    def update(self, other):
+        raise TypeError, 'Immutable'
+    def clear(self):
+        raise TypeError, 'Immutable'
 class HTTPRequest(BaseRequest):
     Model HTTP request data.
@@ -252,7 +262,7 @@
             del environ['HTTP_AUTHORIZATION']

-        self.environ=environ
+        self.environ=ReadOnlyDict(environ)
Index: lib/python/ZPublisher/tests/
--- lib/python/ZPublisher/tests/      (revision 68139)
+++ lib/python/ZPublisher/tests/      (working copy)
@@ -684,7 +684,23 @@
         self.assertEqual(start_count, sys.getrefcount(s))  # The test

+    def test_environ_is_immutable(self):
+        from StringIO import StringIO
+        s = StringIO(TEST_FILE_DATA)
+        env = TEST_ENVIRON.copy()
+        env['to_replace'] = 'to_replace'
+        env['to_remove'] = 'to_remove'
+        from ZPublisher.HTTPRequest import HTTPRequest
+        req = HTTPRequest(s, env, None)
+        self.assertRaises(TypeError, req.environ.__setitem__,
+                            'hacked', 'hacked')
+        self.assertRaises(TypeError, req.environ.__setitem__,
+                            'to_replace', 'replaced')
+        self.assertRaises(TypeError, req.environ.__delitem__, 'to_remove')
+ self.assertRaises(TypeError, req.environ.update, {'hacked': 'hacked'})
+        self.assertRaises(TypeError, req.environ.clear)

 def test_suite():
     suite = unittest.TestSuite()
     suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test'))
Index: lib/python/OFS/tests/
--- lib/python/OFS/tests/  (revision 68139)
+++ lib/python/OFS/tests/  (working copy)
@@ -59,6 +59,9 @@
             r['Application'] = a
             self.root = a
    = makerequest(self.root, stdout=self.responseOut)
+            # 'environ' is now immutable, so replace it to allow scribbling
+            #  in tests
+   = dict(
             except AttributeError: pass
             manage_addFolder(, TESTFOLDER_NAME)

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to