[Zope-dev] Re: vulnerability in zope 2.10.4

Tres Seaver tseaver at palladion.com
Wed Jul 11 20:50:56 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Zeidler wrote:
> hi,
> 
> imho i've found a vulnerability in zope 2.10.4 or rather in the newer  
> version of five (1.5.5) used by it.  in `Five/browser/ 
> pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the  
> instantiate the page template engine used by five templates, or at  
> least this is what i think it does.  the problem with this is that  
> `trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`)  
> gets used to traverse path-expressions using `unrestrictedTraverse`  
> (line 100), which means that i can access say the title of an  
> otherwise private object with a simple
> "obj/Title".
> 
> i ran into this when one of my doctests[1] failed after upgrading  
> from zope 2.10.3 to 2.10.4, because it could now access the title,  
> even though permissions are explicitly set up beforehand to prevent  
> this.  using `createZopeEngine` instead of `createTrustedZopeEngine`  
> didn't help with the test, unfortunately, since this would then raise  
> an `Unauthorized` right away when rendering the `folder_contents`  
> view.  however, if i defer resetting the roles of the test user to  
> just before the "click" on 'Delete' (line 35 in the test), the test  
> works again...
> 
> i've also just verified this ttw by creating a simple five view and a  
> "file" object.  i can successfully access the "title" attribute using  
> the view, even though "view" and "access contents information"  
> permissions are set up so only the "manager" role can access the  
> object.  dropping in zope 2.10.3 things work as expected, that is an  
> `Unauthorized` exception is raised.
> 
> so, unless i'm completely wrong here, i'd say this is a pretty  
> serious security whole, no?

No.  It has been an accident that, until just recently, the
filesystem-based templates in a Five view were running as "untrusted"
code.  Five's security model is designed around protecting access to the
*view*, but then trusting the view author to do the Right Thing.

THis is similar to the trust Zope places in filesystem-based code:
within a method of a filesystem-basd class (or a module-scope funciton),
the developer can use whatever methods or attributes she likes.  So, for
instance, it is possible for the author of the view class to write
methods which exposed "private" attributes to the view's template, for
instance (and has beenn since before Five was added to Zope).

The model you have in mind governs "untrusted" (through-the-web) code,
whether ZPT, DTML, or Python Script, and isn't relevant to Five views.



Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGlXrw+gerLs4ltQ4RAiBBAJsFDX9ESHgkQN57aRftypmtBCIAYgCgjDl6
ui7p8c1qIwr2rFr645uat2Q=
=dAl0
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list