[Zope] External Methods, Proxy Roles, and Executable Security

Dieter Maurer dieter at handshake.de
Tue Nov 22 14:08:33 EST 2005


Jens Vagelpohl wrote at 2005-11-20 19:01 +0100:
> ...
>IMHO proxy roles should be used extremely sparingly, if at all. They  
>are a last resort and I personally never use them. Matter of fact I  
>believe having to use them means the application design could use  
>some improvement...
>
>If something needs to be done with elevated privileges it should be  
>in filesystem product code or, if that is not feasible, in an  
>external method. At least that's my philosophy ;)

You have lost the thread's start:

  George's problem has been that he could not move an object
  in an *EXTERNAL METHOD*, i.e. in trusted filesystem code.

  He would have the same problem in a filesystem product.

  The problem is that "CopySupport" performs a local security
  check (in "_verifyObjectPaste") independent from its caller
  (it does not matter whether the rename/move/copy was
  called from trusted or untrusted code).

  With appropriate proxy roles, an untrusted Python Script can perform some
  rename/move/copy that trusted code is unable to perform.

I assume you can agree that this is a somewhat unsane situation...


-- 
Dieter


More information about the Zope mailing list