<div dir="ltr">The same question again and again<br><br>As a Zope user I prefer to know as soon as possible if Zope has security problems like those<br><br>Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public<br>
<br>I think 2 weeks is a very correct period to solve a problem if not, I want to try to solve the problem for myself<br><br>But I shout my mouth, sorry Andreas ;)<br><br><div class="gmail_quote">2008/8/12 Andreas Jung <span dir="ltr"><<a href="mailto:lists@zopyx.com">lists@zopyx.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">*sigh*<br>
<br>
I wished that both exploits were reported to the Zope bugtracker in order<br>
to work on solutions before making the exploits public.<br>
<br>
<br>
--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <<a href="mailto:mal@egenix.com" target="_blank">mal@egenix.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,<br>
</blockquote><div class="Ih2E3d">
<br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
1. Attack:<br>
<br>
Put this into a "Script (Python)" object and run it:<br>
<br>
return 'kaboom'.encode('test.testall')<br>
<br>
This results in a denial-of-service, since Zope will hang<br>
running the Python test suite.<br>
<br>
The reason for this is a problem in the way the encoding search<br>
function works in Python 2.4. This was changed in 2.5 to no longer<br>
allow searching for codecs outside the encodings package.<br>
</blockquote>
<br></div>
That's pretty obscure behavior of Python 2.4...anyway.<div class="Ih2E3d"><br>
<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<br>
2. Attack:<br>
<br>
Put this into a "Script (Python)" object and run it:<br>
<br>
raise SystemExit<br>
<br>
This shuts down Zope.<br>
<br>
The Python Script environment should obviously catch such exceptions<br>
and not let them propagate up the call stack.<br>
<br>
</blockquote>
<br></div>
See the followup on<br>
<br>
<<a href="https://bugs.launchpad.net/zope2/+bug/257269" target="_blank">https://bugs.launchpad.net/zope2/+bug/257269</a>><br>
<br>
There is a patch available that solves the problem.<br><font color="#888888">
<br>
Andreas<br>
<br>
</font><br>_______________________________________________<br>
Zope maillist - <a href="mailto:Zope@zope.org">Zope@zope.org</a><br>
<a href="http://mail.zope.org/mailman/listinfo/zope" target="_blank">http://mail.zope.org/mailman/listinfo/zope</a><br>
** No cross posts or HTML encoding! **<br>
(Related lists -<br>
<a href="http://mail.zope.org/mailman/listinfo/zope-announce" target="_blank">http://mail.zope.org/mailman/listinfo/zope-announce</a><br>
<a href="http://mail.zope.org/mailman/listinfo/zope-dev" target="_blank">http://mail.zope.org/mailman/listinfo/zope-dev</a> )<br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Mis Cosas<br><a href="http://blogs.sistes.net/Garito">http://blogs.sistes.net/Garito</a><br>Zope Smart Manager<br><a href="http://blogs.sistes.net/Garito/670">http://blogs.sistes.net/Garito/670</a><br>
</div>