[Zope] protecting users from hostile authors

[Bill Anderson]

On Sun, 2001-08-26 at 06:32, Kyler B. Laird wrote:
> 
> On Sun, 26 Aug 2001 00:15:16 +0200 (CEST) you wrote:
> >Kyler B. Laird writes:
> > > Looking around on Zope.org, I realized that this
> > > might already be addressed.  Is there anything
> > > that prevents me (as a Zope community member
> > > with authoring privileges on zope.org) from 
> > > luring users who have already authenticated with
> > > Zope.org to come look at my pages, and then
> > > running arbitrary commands with their
> > > privileges?
> >Starting with Zope 2.2, the effective permissions are the
> >intersection of that of the current user and that of the
> >executable's owner. That implies, the authors cannot do
> >thinks by highjacking visitors.
> 
> O.k., I appreciate that (lots!).  However, I do not see
> what is stopping me from doing something nasty like...
> 
> 	1.	Lure you to my page.
> 
> 	2.	Check to see that you are authenticated.
> 		(My page wouldn't require it.)
> 
> 	3.	If you are, grab your user name.
> 
> 	4.	Create a URL for a Bad Thing (something with
> 		"manage_" in it pointed at your folder).
> 
> 	5.	Generate a 1x1 (or whatever) <img> tag with
> 		that URL as the src value.
> 
> I haven't tried this, but even if it does not work now,
> I wonder what policy prevents it (and insures it will
> not work in future versions).

The policy that prevents it is the one that was told to you. *YOUR*
content can only do what *you* have permission to do, period. The user
browsing your stuff is 'executed' as *you*, not the user. Therefore, you
could not do manage_<anything> that you did not already posess the
capability to do. Period. If you already have that power, it is
irrelevant.

> Any clever thoughts?

The pre-existing Zope security machinery. Do a search on the Archives,
and you will see all the raw details.

Cheers, 
Bill