[Zope] Security?

Goldthwaite, Joe joe at goldthwaites.com
Mon Dec 1 16:38:54 EST 2003


Thanks Casey,

The DefLines attribute of the ISLines object was a simple list.  I changed
the return from "return c" to "return c.DefLines" and then modified this;

 <p tal:replace="python:len(here.GetISLines().DefLines)"></p>

to this;

 <p tal:replace="python:len(here.GetISLines())"></p>

And it returned I got my 75 line count in the Income Statement.  I'll try
creating a loop that displays the lines on the page.  I had gone through the
developer guide chapter on security but it's not making much sense yet.  I'm
going to see if I can access my line objects and I'll revisit the assertions
if it doesn't work.  (The line object has a method that returns a year to
date number and I suspect I'll get the unauthorized method when I try to
access it).

Thanks again - and thanks to everyone else who answered with help.


-----Original Message-----
From: Casey Duncan [mailto:casey at zope.com]
Sent: Monday, December 01, 2003 2:13 PM
To: joe at goldthwaites.com
Cc: zope at zope.org
Subject: Re: [Zope] Security?


These Unauthorized errors (login boxes) are caused by trying to access
objects from untrusted code that do not have any Zope security assertions on
them.

TTW code (Python Scripts, DTML and Page Templates), including skins on the
file system exposed through FS directory views, are untrusted code. They
execute using a restricted Python interpreter which prevents access to
arbitrary Python objects and modules that might represent a security hole
(and allow you to compromise the server).

There are two solutions to your problem:

1. Use trusted code, which includes external methods and zope product
modules and have them return simple types (strings, ints, etc) or simple
containers (lists, dicts, tuples) containing simple types up to the template
that is renderign the page. Simple types are deemed safe for untrusted code
by default (along with some others, like DateTime objects).

2. Put security assertions on the objects used by untrusted code. This
usually requires you to subclass the objects, but not always. See the Zope
developers guide for details.

In most cases #1 is sufficient unless there are many places where it is
desireable for untrusted code to have access to the objects directly in
which case use #2.

hth,

-Casey

On Mon, 1 Dec 2003 13:45:01 -0700
"Goldthwaite, Joe" <joe at goldthwaites.com> wrote:

> Well, I don't know if it's progress but I think my questions are getting
> more specific.
>
> I downloaded the mx.ODBC routines for Python 2.1.3.  I can now start the
> python interpreter in the WebSite\bin directory and type "import mx.ODBC"
> without getting an error.
>
> I next tried to create a limited python script;
>
> from Products.EIS import ISLines
> c = ISLines()
> return "c"
>
> I'm just returning the literal "c" on purpose because my page template
can't
> handle the ISLines yet.  In my Income Statement ZPT I have this line;
>
> <p tal:replace="python:here.IncomeStatementScript()"></p>
>
> When I try to display the ZPT, I get the Zope logon dialog box.  I only
have
> one login and it doesn't' work so I just hit cancel and get "Your are not
> allowed to access EIS in this context".  (I had placed the ISLines.py file
> in my Products/EIS directory.)
>
> After that, I decided to try external modules.  I added this wrapper
> function to my ISLines.py module;
>
> def GetISLines():
>    c = ISLines()
>    return "c"
>
> Again, I put the literal "c" there to make sure I was calling things
> correctly.  I moved the ISLines.py file to the Extensions directory and
> created a GetISLines external method referencing the new function in Zope
> root folder.   I tested it and got the "c" back.  Next, I put this line in
> my IncomeStatment ZPT;
>
> <p tal:replace="python:here.GetISLines()"></p>
>
> When I test it, I get the "c" back.  Interestingly, there was also pause
of
> about the amount of time it takes to run ISLines and build the Income
> Statement lines.  I thought I was almost there.  The next step was to
return
> the actual object and print out the number of lines returned.  I modified
> the 'return "c"' line to 'return c'.  Now when I run it, I get "<? ISLines
> instance at 014879EC>" so I know I'm now returning my object.  Finally I
try
> to reference my list if lines by printing the length like this;
>
> <p tal:replace="python:len(here.GetISLines().DefLines)"></p>
>
> Deflines is a list of income statement line objects. I go to refresh and I
> get the Logon dialog again!  #$%@ &@#% &^@$!!!!  Sorry, I don't usually
use
> that kind of language but I seem to be shooting at the wrong target. It's
no
> wonder I can't hit anything.
>
>
>
>
>
>
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )




More information about the Zope mailing list