[Zope] Security Problems?

Tino Wildenhain tino@wildenhain.de
Wed, 09 May 2001 16:50:04 +0200 

Hi Phil,

thats not a bug, its a feature :-)

You need
__allow_access_to_unprotected_subobjects__=1

somewhere in your class

Regards
Tino Wildenhain

--On Mittwoch, 9. Mai 2001 15:08 +0100 Phil Harris <phil.harris@zope.co.uk> 
wrote:

>
> All,
>
> I've got a sneaking suspicion that there are some security problems in
> Zope 2.3.x.
> I've been trying to make a simple testcase and would like other (better)
> minds than mine to look at it.
> I have an external method which looks like:
>
> class c:
>     def __init__(self,a):
>         self.score=a
>         self.test=a*a
>
> def t(self):
>     retval=[]
>     for a in range(1,10):
>         retval.append(c(a))
>     return retval
>
>
> The class 'c' is a very simple class, it has no methods and only two
> attributes/properties 'score' and 'test'.
> The external method 't' is also very simple, it just returns an array of
> class 'c'.
> The dtml-method I'm using to access this array is as follows:
>
> <dtml-var standard_html_header>
> <dtml-in t>
>   <dtml-var "_['sequence-item'].score">
> </dtml-in>
> <dtml-var standard_html_footer>
>
> Nothing earth shattering there either.
>
> BUT, I get an unauthorized error raised with this traceback whenever I
> run this dtml-method:
> (note that a authentication login box is presented but NO user name is
> able to authenticate)
> Traceback (innermost last):
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in
> publish_module   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line
> 187, in publish   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line
> 171, in publish   File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line
> 160, in mapply     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in
> call_object     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in
> __call__     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in
> renderwob     (Object: t)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in
> eval     (Object: _['sequence-item'].score)
>     (Info: _)
>   File &lt;string&gt;, line 0, in ?
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in
> careful_getattr   File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line
> 261, in validate     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144,
> in validate   File
> D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in
> validate Unauthorized: score
>
>
> All of this is run on a bog standard install of Zope 2.3.2 with no other
> products installed, no security changes done, REALLY bog standard.
>
> Anyone got any ideas?
>
> Cos this is doin my f'in ed in man?!?!?!?!?!?
>
> Phil
> phil.harris@zope.co.uk
>