[Zope] XML-RPC, self and security

Eric Kidd eric.kidd@pobox.com
Tue, 31 Aug 1999 19:59:54 -0400


I discovered a potential problem with ZPublisher, External Methods and Zope
XML-RPC. Let's say you write an external method in Python, and you want to
call it via XML-RPC.

To make life more interesting, pretend you need access to 'self'.
If you call an external method from ZPublisher (instead of calling it from
DTML), you can't specify 'self' as your first parameter. Instead, you must
specify it as your last parameter.

Unfortunately, the user can pass a bogus 'self' parameter to your Python
method, and possibly subvert any security checks you've provided (many such
checks rely on 'self' in some fashion).

Short Term Workaround
---------------------

Access an attribute on self. Since no XML-RPC data types seem to support
attributes, this should provide a small measure of security.

  def deliverNews(foo, self):
      # CAREFUL - Zope is sloppy about passing 'self' to external methods.
      # ZPublisher will only pass you a self argument if you leave an extra
      # parameter at the end of your parameter list and call it 'self'.
      # Unfortunately, a sneaky user could pass one extra parameter when
      # calling this function and give us a bogus value of self. To prevent
      # problems, we must double-check that self isn't some sort of XML-RPC
      # object. We can do that by accessing an attribute.
      REQUEST = self.REQUEST
      return foo

Possible Fix?
-------------

ZPublisher should probably work more like DTML rendering. In particular, it
should check for a first parameter named 'self' and pass an appropriate
object. Would this break something else in a complicated fashion?

Cheers,
Eric