[Zope-dev] Help Securing new ftpFolder product.

Tim Ansell mithro@mithis.com
28 Feb 2002 20:57:35 +1030


Hi 

I'm currently developing a product called "ftpFolder". This product is
designed to make Zope easier to use with webDAV and ftp. It tackles a
few common problems that occur when using these tools to edit Zope.

Firstly Zope prefers to have no extension on the files it stores, this
breaks alot of Windows programs (such as Web Folder and Dreamweaver).
The ftpFolder tackles this problem by providing a "virtual mapping" onto
the real zope tree. In the virtual mapping the objects gain extensions.
This mapping is accessed through 'cd'ing into a virtualFTP object found
in the FtpFolder.

For example

FtpFolder
  |
  + DTMLDocument
  + DTMLMethod
  + Image
  |
  + virtualFTP
      |
      + DTMLDocument.ddtml    <- This is the above DTMLDocument object
      + DTMLMethod.ddtml      <- This is the above DTMLMethod object
      + Image.jpeg            <- This is the above Image object

Extensions are provided using a mapping table and "plugins" which can
dynamic create the extension depending on contents. (ie the Image would
have a plugin to tell if it was a .jpeg or .gif or .png etc)

It does this by providing "virtualObjects" which map properties onto a
real object. I need a way to define the security so that the
virtualObject takes on the security of the real object it is wrapping.
One way that was suggested to me was to "copy" the security properties
from the real object to the virtualObject in __init__. Would this work?
If so what would i have to copy?


Another problem the ftpFolder solves is the lack of the ability to edit
Zope properties. It does this py providing a "virtualProperties" object
which acts as xml representation of the objects properties. This objects
appear in the virtualFTP folder as the <document>.prop and can be
uploaded and downloaded to access and change the documents properties.

This works well but i need help to make sure this doesn't open up any
security holes allowing unprivledged people from changing properties.


The final and most complex problem is that the ftpFolder allows you to
ftp into "versions objects". In the virtualFTP tree version objects
become "folderish", this allows people to 'cd' into them, and access the
the tree as if they where in that version. 

How this works is in 3 steps a "versionFolder" object is created to
"hold" the version. When anybody accesses the versionFolder is xml-rpc
calls a "do" method on the local zope with the correct headers to cause
the version to be entered. The "do" method then calls the correct method
on the object (because the methods don't have doc strings and can't be
called directly - plus REQUEST isn't picklable so can't be send across
xml-rpc).

versionFolder <- XML-rpc -> virtualObject.do <- function call with
"mapply" -> virtualObject.<function>

This might seem a horrible way to do it but it's the only way i have
found to do this. It works suprisingly well, the problem is that it's
horribly unsecure, i need help to secure this and the other problems.

The source can be found on sourceforge

cvs -z3
-d:pserver:anonymous@cvs.iiiserver.sourceforge.net:/cvsroot/iiiserver co
ftpFolder

If you are intrested in helping me, or can offer some suggestions could
you please email me (as well as the list if you feel it's approiate).

Hope to hear from you all soon.

Mithro



PS BEWARNED the source isn't exactly the kindest :(