[ZCM] [ZC] 410/ 3 Resolve "xmlrpc leaks private attributes"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Wed Jan 21 14:35:59 EST 2004
Issue #410 Update (Resolve) "xmlrpc leaks private attributes"
** Security Related ** (Public)
Status Resolved, Zope/bug medium
To followup, visit:
http://zope.org/Collectors/Zope/410
==============================================================
= Resolve - Entry #3 by Brian on Jan 21, 2004 2:35 pm
Status: Pending => Resolved
fixed for 2.6.3+ and 2.7.0b4+
-BL
________________________________________
= Unrestrict_pending - Entry #2 by ShaneH on May 2, 2003 10:29 am
I'm not sure this is a big deal, but I don't know of a good way to fix it, so I'm opening this up for comments. Anything derived from ExtensionClass is safe, and most things in Zope are derived from ExtensionClass.
________________________________________
= Request - Entry #1 by htrd on May 31, 2002 7:46 am
xmlrpc marshals class instances by marshalling their __dict__.
This includes attrbutes which would be private under the zope security policy; underscore prefixed attributes, and attributes with security declarations.
One significant mitigating factor is that it can not marshal ExtensionClass instances, or acquisition wrappers. (in Python 2.1 anyway. I guess 2.2 may be different). This means you can not use this hole to see the password attribute of a user object, for example.
==============================================================
More information about the Zope-Collector-Monitor
mailing list