[Zope] Security Problem

Dylan Reinhardt zope@dylanreinhardt.com
27 Mar 2003 09:00:44 +0000

On Thu, 2003-03-27 at 04:27, jamesd@mena.org.au wrote:
> Having to create a new Manager and Reviewer role for each of the portals I
> host and setting it up to work correctly (considering checking for the role
> 'Manager' is hard coded in many places) would be an enormous task, so this
> is not feasable.

That's unfortunate, since it's the only reliably secure way of setting
up multi-user, multi-host services.    

The recommendation about restricting the display of folder contents is
still pretty high value and can probably be done painlessly.  Cross-site
scripting exploits are far harder to perform once Zope stops giving away
detailed information on what stuff is available where.  It's not a
complete fix, but it's a huge step in the right direction.

> Considering the exploit does not affect folders (going to
> plone2/portals/manage_main does not work, while plone2/plone1/manage_main
> does, where 'portals' is a folder) 

It would appear that you have restricted access to the portals folder. 
That's a good thing.  

But it has nothing to do with whether the attacked object is a folder or
not.  It is possible to call *any* method of plone1 on *any* object of
plone2 or its parents.  The degree to which such an attempt works is
dependent on little more than how roles are configured.

is there a way to force the permissions
> to be inherited from 'container' and not 'context'?

That's already how it works.  The problem you have is that the roles for
both these sites are defined in the *same* container.  Unless you define
roles/users a bit deeper in the tree, how can Zope possibly know
where/how roles ought to be partitioned?

I can appreciate the effort that is probably involved in retrofitting
sites with hard-coded roles... but if security is important to you, your
best bet is to combine Zope's excellent security framework with general
best practices in designing and implementing security schemes.