[Zope] Nasty subtle security bug - Me Too

Brad Clements bkc@murkworks.com
Mon, 25 Sep 2000 15:23:33 -0400

On 25 Sep 2000, at 21:01, Martijn Faassen wrote:

> In Zope 2.2.2, the user cannot execute the external method E either.
> Instead, the calling DTML code raises a NameError, basically saying our
> external method does not exist.

> I'll also dump this description into the collector, but posted to the
> list because I like to complain. And who knows, perhaps someone else
> ran into the same.

I also get the same problem in a different way. I posted a note the other 
day about Login Manager and ownership generating NameError.

I thought it was a Login Manager thing. The results are about the same, 
I get a NameError accessing an External method from a DTML method 
when the current user has been authenticated using a Login manager 
protectec sub folder of the root.

My fix, strangely enough, was to change the ownershipp of the DTML 
method that was making the call to the External Method. It was owned 
(somehow) by a user from Login Manager, rather than from the root 
acl_users folder.

Changing the ownership fixed the problem.

I didn't know who should look into this, Ty or DC, so I posted to the list. 
Unfortunately it looks like no one has responded. I don't have the brains 
to figure it out.

Brad Clements,                bkc@murkworks.com   (315)268-1000
http://www.murkworks.com                          (315)268-9812 Fax
netmeeting: ils://ils.murkworks.com               AOL-IM: BKClements