[Zope-Checkins] CVS: Zope/lib/python/OFS - Application.py:1.191.2.8 CopySupport.py:1.85.2.5 DTMLDocument.py:1.48.68.3 DTMLMethod.py:1.80.44.4 FindSupport.py:1.31.68.2 PropertyManager.py:1.52.2.4 PropertySheets.py:1.89.4.4

Tres Seaver tseaver at zope.com
Thu Jan 8 18:34:18 EST 2004


Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv30073/lib/python/OFS

Modified Files:
      Tag: Zope-2_7-branch
	Application.py CopySupport.py DTMLDocument.py DTMLMethod.py 
	FindSupport.py PropertyManager.py PropertySheets.py 
Log Message:


  Merge security audit work for the 2.7 branch:

    - Collector #1140: setting the access control implementation from
      the configuration file didn't work.  The ZOPE_SECURITY_POLICY
      environment variable is no longer honored.

    - Browsers that do not escape html in query strings such as 
      Internet Explorer 5.5 could potentially send a script tag in a 
      query string to the ZSearch interface for cross-site scripting.

    - FilteredSets (used within TopicIndex) are defined via an expression,
      which was naievely eval'ed.

    - The ZTUtils SimpleTree decompressed tree state data from the 
      request without checking for final size, which could allow for 
      certain types of DoS attacks.

    - Inadequate security assertions on administrative "find" methods 
      could potentially be abused.

    - Some improper security assertions on DTMLDocument objects could 
      potentially allow access to members that should be protected.

    - Class security was not properly intialized for PythonScripts, 
      potentially allowing access to variables that should be protected. 
      It turned out that most of the security assertions were in fact 
      activated as a side effect of other code, but this fix is still 
      appropriate to ensure that all security declarations are properly 
      applied.

    - The dtml-tree tag used an "eval" of user-supplied data; its 
      efforts to prevent abuse were ineffective.

    - XML-RPC marshalling of class instances used the instance 
      __dict__ to marshal the object, and could include attributes 
      prefixed with an underscore name. These attributes are considered 
      private in Zope and should generally not be disclosed.

    - Some property types were stored in a mutable data type (list) which 
      could potentially allow untrusted code to effect changes on those 
      properties without going through appropriate security checks in 
      particular scenarios.

    - Inadequate type checking could allow unicode values passed to 
      RESPONSE.write() to be passed into deeper layers of asyncore, 
      where an exception would eventually be generated at a level that 
      would cause the Zserver main loop to terminate.

    - The variables bound to page templates and Python scripts such as 
      "context" and "container" were not checked adequately, allowing 
      a script to potentially access those objects without ensuring the 
      necessary permissions on the part of the executing user.

    - Iteration over sequences could in some cases fail to check access 
      to an object obtained from the sequence. Subsequent checks (such 
      as for attributes access) of such an object would still be 
      performed, but it should not have been possible to obtain the 
      object in the first place.

    - List and dictionary instance methods such as the get method of 
      dictionary objects were not security aware and could return an 
      object without checking access to that object. Subsequent checks 
      (such as for attributes access) of such an object would still be 
      performed, but it should not have been possible to obtain the 
      object in the first place.

    - Use of 'import as. in Python scripts could potentially rebind 
      names in ways that could be used to avoid appropriate security 
      checks.

    - A number of newer built-ins (min, max, enumerate, iter, sum)
      were either unavailable in untrusted code or did not perform
      adequate security checking.

    - Unpacking via function calls, variable assignment, exception 
      variables and other contexts did not perform adequate security 
      checks, potentially allowing access to objects that should have 
      been protected.

    - DTMLMethods with proxy rights could incorrectly transfer those 
      rights via acquisition when traversing to a parent object.



=== Zope/lib/python/OFS/Application.py 1.191.2.7 => 1.191.2.8 ===
--- Zope/lib/python/OFS/Application.py:1.191.2.7	Sat Dec 20 13:10:41 2003
+++ Zope/lib/python/OFS/Application.py	Thu Jan  8 18:33:47 2004
@@ -22,6 +22,7 @@
 from App.ApplicationManager import ApplicationManager
 from webdav.NullResource import NullResource
 from FindSupport import FindSupport
+from cgi import escape
 from urllib import quote
 from StringIO import StringIO
 from AccessControl.PermissionRole import PermissionRole
@@ -122,8 +123,8 @@
         """Returns an HTML fragment that displays the 'powered by zope'
         button along with a link to the Zope site."""
         return '<a href="http://www.zope.org/Credits" target="_top"><img ' \
-               'src="%s/p_/ZopeButton" width="115" height="50" ' \
-               'border="0" alt="Powered by Zope" /></a>' % self.REQUEST.BASE1
+               'src="%s/p_/ZopeButton" width="115" height="50" border="0" ' \
+               'alt="Powered by Zope" /></a>' % escape(self.REQUEST.BASE1, 1)
 
 
     def DELETE(self, REQUEST, RESPONSE):


=== Zope/lib/python/OFS/CopySupport.py 1.85.2.4 => 1.85.2.5 ===
--- Zope/lib/python/OFS/CopySupport.py:1.85.2.4	Thu Jan  8 04:05:10 2004
+++ Zope/lib/python/OFS/CopySupport.py	Thu Jan  8 18:33:47 2004
@@ -23,6 +23,7 @@
 from Acquisition import aq_base, aq_inner, aq_parent
 from zExceptions import Unauthorized, BadRequest
 from webdav.Lockable import ResourceLockedError
+from cgi import escape
 
 CopyError='Copy Error'
 
@@ -73,7 +74,7 @@
                 raise ResourceLockedError, 'Object "%s" is locked via WebDAV' % ob.getId()
 
             if not ob.cb_isMoveable():
-                raise CopyError, eNotSupported % id
+                raise CopyError, eNotSupported % escape(id)
             m=Moniker.Moniker(ob)
             oblist.append(m.dump())
         cp=(1, oblist)
@@ -98,7 +99,7 @@
         for id in ids:
             ob=self._getOb(id)
             if not ob.cb_isCopyable():
-                raise CopyError, eNotSupported % id
+                raise CopyError, eNotSupported % escape(id)
             m=Moniker.Moniker(ob)
             oblist.append(m.dump())
         cp=(0, oblist)
@@ -157,7 +158,7 @@
             # Copy operation
             for ob in oblist:
                 if not ob.cb_isCopyable():
-                    raise CopyError, eNotSupported % ob.getId()
+                    raise CopyError, eNotSupported % escape(ob.getId())
                 try:    ob._notifyOfCopyTo(self, op=0)
                 except: raise CopyError, MessageDialog(
                     title='Copy Error',
@@ -182,7 +183,7 @@
             for ob in oblist:
                 id=ob.getId()
                 if not ob.cb_isMoveable():
-                    raise CopyError, eNotSupported % id
+                    raise CopyError, eNotSupported % escape(id)
                 try:    ob._notifyOfCopyTo(self, op=1)
                 except: raise CopyError, MessageDialog(
                     title='Move Error',
@@ -242,7 +243,7 @@
         if ob.wl_isLocked():
             raise ResourceLockedError, 'Object "%s" is locked via WebDAV' % ob.getId()
         if not ob.cb_isMoveable():
-            raise CopyError, eNotSupported % id
+            raise CopyError, eNotSupported % escape(id)
         self._verifyObjectPaste(ob)
         try:    ob._notifyOfCopyTo(self, op=1)
         except: raise CopyError, MessageDialog(
@@ -269,7 +270,7 @@
     def manage_clone(self, ob, id, REQUEST=None):
         # Clone an object, creating a new object with the given id.
         if not ob.cb_isCopyable():
-            raise CopyError, eNotSupported % ob.getId()
+            raise CopyError, eNotSupported % escape(ob.getId())
         try: self._checkId(id)
         except: raise CopyError, MessageDialog(
                       title='Invalid Id',
@@ -510,11 +511,11 @@
 fMessageDialog=Globals.HTML("""
 <HTML>
 <HEAD>
-<TITLE><dtml-var title></TITLE>
+<TITLE>&dtml-title;</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF">
-<FORM ACTION="<dtml-var action>" METHOD="GET" <dtml-if
- target>TARGET="<dtml-var target>"</dtml-if>>
+<FORM ACTION="&dtml-action;" METHOD="GET" <dtml-if
+ target>TARGET="&dtml-target;"</dtml-if>>
 <TABLE BORDER="0" WIDTH="100%%" CELLPADDING="10">
 <TR>
   <TD VALIGN="TOP">


=== Zope/lib/python/OFS/DTMLDocument.py 1.48.68.2 => 1.48.68.3 ===
--- Zope/lib/python/OFS/DTMLDocument.py:1.48.68.2	Mon Jul 21 12:35:34 2003
+++ Zope/lib/python/OFS/DTMLDocument.py	Thu Jan  8 18:33:47 2004
@@ -45,16 +45,11 @@
         PropertyManager.manage_options +
         DTMLMethod.manage_options[2:]
         )
-
+    
+    ps = DTMLMethod.__ac_permissions__
     __ac_permissions__=(
-        ('Change DTML Documents',
-         ('manage_editForm', 'manage', 'manage_main',
-          'manage_edit', 'manage_upload', 'PUT',
-          'manage_historyCopy',
-          'manage_beforeHistoryCopy', 'manage_afterHistoryCopy',
-          )
-         ),
-        )
+        ps[0], ('Change DTML Documents', ps[1][1]), ps[2], ps[3], ps[4])
+    del ps
 
     def manage_edit(self,data,title,SUBMIT='Change',dtpref_cols='100%',
                     dtpref_rows='20',REQUEST=None):


=== Zope/lib/python/OFS/DTMLMethod.py 1.80.44.3 => 1.80.44.4 ===
--- Zope/lib/python/OFS/DTMLMethod.py:1.80.44.3	Mon Nov 17 17:34:07 2003
+++ Zope/lib/python/OFS/DTMLMethod.py	Thu Jan  8 18:33:47 2004
@@ -73,6 +73,7 @@
         +Cacheable.manage_options
         )
 
+    # Careful in changes--used by DTMLDocument!
     __ac_permissions__=(
     ('View management screens',
      ('document_src', 'PrincipiaSearchSource')),


=== Zope/lib/python/OFS/FindSupport.py 1.31.68.1 => 1.31.68.2 ===
--- Zope/lib/python/OFS/FindSupport.py:1.31.68.1	Thu Aug 28 04:26:53 2003
+++ Zope/lib/python/OFS/FindSupport.py	Thu Jan  8 18:33:47 2004
@@ -22,6 +22,7 @@
 from DateTime import DateTime
 from string import translate
 from AccessControl.DTML import RestrictedDTML
+from AccessControl import ClassSecurityInfo
 
 class FindSupport(ExtensionClass.Base):
     """Find support for Zope Folders"""
@@ -48,6 +49,9 @@
          'help':('OFSP','Find.stx')},
         )
 
+    security = ClassSecurityInfo()
+
+    security.declareProtected('View management screens', 'ZopeFind')
     def ZopeFind(self, obj, obj_ids=None, obj_metatypes=None,
                  obj_searchterm=None, obj_expr=None,
                  obj_mtime=None, obj_mspec=None,
@@ -148,9 +152,10 @@
 
 
 
-
+    security.declareProtected('View management screens', 'PrincipiaFind')
     PrincipiaFind=ZopeFind
 
+    security.declareProtected('View management screens', 'ZopeFindAndApply')
     def ZopeFindAndApply(self, obj, obj_ids=None, obj_metatypes=None,
                          obj_searchterm=None, obj_expr=None,
                          obj_mtime=None, obj_mspec=None,
@@ -296,7 +301,7 @@
     return 1
 
 
-Globals.default__class_init__(FindSupport)
+Globals.InitializeClass(FindSupport)
 
 # Helper functions
 


=== Zope/lib/python/OFS/PropertyManager.py 1.52.2.3 => 1.52.2.4 ===
--- Zope/lib/python/OFS/PropertyManager.py:1.52.2.3	Mon Nov 17 17:34:07 2003
+++ Zope/lib/python/OFS/PropertyManager.py	Thu Jan  8 18:33:47 2004
@@ -23,7 +23,7 @@
 from Globals import Persistent
 from zExceptions import BadRequest
 from cgi import escape
-
+from types import ListType
 
 
 class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
@@ -157,6 +157,8 @@
 
     def _setPropValue(self, id, value):
         self._wrapperCheck(value)
+        if type(value) == ListType:
+            value = tuple(value)
         setattr(self,id,value)
 
     def _delPropValue(self, id):
@@ -337,7 +339,7 @@
             if (not 'd' in propdict[id].get('mode', 'wd')) or (id in nd):
                 return MessageDialog(
                 title  ='Cannot delete %s' % id,
-                message='The property <em>%s</em> cannot be deleted.' % id,
+                message='The property <em>%s</em> cannot be deleted.' % escape(id),
                 action ='manage_propertiesForm')
             self._delProperty(id)
 


=== Zope/lib/python/OFS/PropertySheets.py 1.89.4.3 => 1.89.4.4 ===
--- Zope/lib/python/OFS/PropertySheets.py:1.89.4.3	Mon Nov 17 17:34:07 2003
+++ Zope/lib/python/OFS/PropertySheets.py	Thu Jan  8 18:33:47 2004
@@ -15,7 +15,7 @@
 
 __version__='$Revision$'[11:-2]
 
-import time,  App.Management, Globals
+import time,  App.Management, Globals, sys
 from webdav.WriteLockInterface import WriteLockInterface
 from ZPublisher.Converters import type_converters
 from Globals import DTMLFile, MessageDialog
@@ -30,7 +30,7 @@
 from webdav.common import isDavCollection
 from zExceptions import BadRequest, Redirect
 from cgi import escape
-
+from types import ListType
 
 # DM: we would like to import this from somewhere
 BadRequestException= 'Bad Request'
@@ -214,6 +214,10 @@
             prop['select_variable']=value
             if type=='selection': value=None
             else: value=[]
+
+        # bleah - can't change kw name in api, so use ugly workaround.
+        if sys.modules['__builtin__'].type(value) == ListType:
+            value = tuple(value)
         setattr(self, id, value)
 
     def _updateProperty(self, id, value, meta=None):
@@ -238,6 +242,9 @@
                 if prop['id']==id: prop['meta']=meta
                 props.append(prop)
             pself._properties=tuple(props)
+
+        if type(value) == ListType:
+            value = tuple(value)
         setattr(self.v_self(), id, value)
 
     def _delProperty(self, id):




More information about the Zope-Checkins mailing list