[Zope] Security Problems?

Chris McDonough chrism@digicool.com
Wed, 9 May 2001 10:41:18 -0400

Hi Phil,

Defining classes in external methods is... an interesting experience.  I
don't recommend it.  It gets tricky because the file that external methods
are defined in isn't actually a Python module, so interpreting the behavior
is hard.

That said, the security chapter of the developer's guide goes in to this a
little (http://www.zope.org/Documentation/ZDG/Security.dtml).  The problem
is that the instances you're putting in the array don't have any security
declarations, therefore access to them is denied (raising the unauthorized).
The fix for this is to add security declarations to the class, e.g

from AccessControl import ClassSecurityInfo
from Globals import InitializeClass

class c:
    security = ClassSecurityInfo()
    def __init__(self,a):

def t(self):
    for a in range(1,10):
        inst = c(a)
        if not hasattr(
        InitializeClass(c) # its dumb to do this every time.
    return retval

If this doesn't work for some reason (setDefaultAccess was broken in at
least one Zope release), try to define the class c like so:

class c:
    __allow_access_to_unprotected_subobjects__ = 1
    def __init__(self,a):

----- Original Message -----
From: Phil Harris
To: zope@zope.org
Sent: Wednesday, May 09, 2001 10:08 AM
Subject: [Zope] Security Problems?


I've got a sneaking suspicion that there are some security problems in Zope

I've been trying to make a simple testcase and would like other (better)
minds than mine to look at it.

I have an external method which looks like:

class c:
    def __init__(self,a):

def t(self):
    for a in range(1,10):
    return retval

The class 'c' is a very simple class, it has no methods and only two
attributes/properties 'score' and 'test'.

The external method 't' is also very simple, it just returns an array of
class 'c'.

The dtml-method I'm using to access this array is as follows:

<dtml-var standard_html_header>
<dtml-in t>
  <dtml-var "_['sequence-item'].score">
<dtml-var standard_html_footer>

Nothing earth shattering there either.

BUT, I get an unauthorized error raised with this traceback whenever I run
this dtml-method:

(note that a authentication login box is presented but NO user name is able
to authenticate)

Traceback (innermost last):
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish
  File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in
    (Object: t)
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval
    (Object: _['sequence-item'].score)
    (Info: _)
  File &lt;string&gt;, line 0, in ?
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in
  File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in
  File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168,
in validate
Unauthorized: score

All of this is run on a bog standard install of Zope 2.3.2 with no other
products installed, no security changes done, REALLY bog standard.

Anyone got any ideas?

Cos this is doin my f'in ed in man?!?!?!?!?!?