[Zope] XML-RPC, self and security

Jim Fulton jim@digicool.com
Wed, 01 Sep 1999 10:53:39 -0400 

Eric Kidd wrote:
> 
> I discovered a potential problem with ZPublisher, External Methods and Zope
> XML-RPC. Let's say you write an external method in Python, and you want to
> call it via XML-RPC.
> 
> To make life more interesting, pretend you need access to 'self'.
> If you call an external method from ZPublisher (instead of calling it from
> DTML), you can't specify 'self' as your first parameter. Instead, you must
> specify it as your last parameter.
> 
> Unfortunately, the user can pass a bogus 'self' parameter to your Python
> method, and possibly subvert any security checks you've provided (many such
> checks rely on 'self' in some fashion).
> 
> Short Term Workaround
> ---------------------
> 
> Access an attribute on self. Since no XML-RPC data types seem to support
> attributes, this should provide a small measure of security.
> 
>   def deliverNews(foo, self):
>       # CAREFUL - Zope is sloppy about passing 'self' to external methods.
>       # ZPublisher will only pass you a self argument if you leave an extra
>       # parameter at the end of your parameter list and call it 'self'.
>       # Unfortunately, a sneaky user could pass one extra parameter when
>       # calling this function and give us a bogus value of self. To prevent
>       # problems, we must double-check that self isn't some sort of XML-RPC
>       # object. We can do that by accessing an attribute.
>       REQUEST = self.REQUEST
>       return foo
> 
> Possible Fix?
> -------------
> 
> ZPublisher should probably work more like DTML rendering. In particular, it
> should check for a first parameter named 'self' and pass an appropriate
> object. Would this break something else in a complicated fashion?

I just checked in a fix exactly along these lines.  It will be in 2.0 final.

It shouldn't break anything that doesn't already need to be broken. ;)

Jim

--
Jim Fulton           mailto:jim@digicool.com   Python Powered!        
Technical Director   (888) 344-4332            http://www.python.org  
Digital Creations    http://www.digicool.com   http://www.zope.org    

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.