[Zope-dev] post security update analysis

Jamie Heilman jamie at audible.transient.net
Sat Jan 17 07:20:34 EST 2004 

Now that we've reached closure on some of the outstanding security
issues in Zope there's a lot of stuff in the Collector that needs to
be revisited...

Brian Lloyd wrote:
>   - For loops, list comprehensions, and other iterations in untrusted code
>   - List and dictionary instance methods in untrusted code
>   - Use of  import as  in untrusted code
>   - Use of min, max, enumerate, iter, and sum in untrusted code
>   - Broken binding validation in untrusted code
>   - Unpacking in untrusted code
>   - PythonScript class security not initialized properly
>   - PropertyManager 'lines' and 'tokens' properties stored as list
>   - Configuration file did not override security policy selection

AFAIK there weren't any public bugs related to these problems, except
for maybe issue #28 which can probably be taken out of deferred status
and placed into resolved now.

>   - Unicode passed to RESPONSE.write() could shutdown process

I could have sworn there was a bug report related to this but I can't
find it now.

>   - XML-RPC instance marshaling may disclose protected values

issue #410, I can't comment on the effectiveness of this solution, I
removed XML-RPC from my tree ages ago, I am currious if anyone has a
test-case/exploit for this issue though

>   - DTML tag dtml-tree may allow DoS attack

issue #604 can be marked resolved now

>   - Potential cross-site scripting problem in default ZSearch interface

issue #734 can be marked resolved now

>   - Proxy rights on DTMLMethods transferred via acquisition

I believe this means issue #743 and issue #977 can be resolved now.
Actually, #977 already was rejected IIRC but its never been marked as
public which is rather irritating.  

>   - Improper security assertions on DTMLDocument objects

probably fixes issue #865, but because Zope-HEAD doesn't actually run
right now, due to a myriad of other bugs, I actually haven't tested it

>   - Inadequate security assertions on admin "find" functions

issue #1000 can be marked resolved now

The patchset for 813's xss issues seems to have been partially
applied.  I still need to update my patch against HEAD for the xss
holes that haven't been closed.  I'll post an update to the collector
when its ready.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"Paranoia is a disease unto itself, and may I add, the person standing
 next to you may not be who they appear to be, so take precaution."
						-Sathington Willoughby

More information about the Zope-Dev mailing list