[Zope] Script (Python) insecure ?

Garito garito at sistes.net
Tue Aug 12 09:08:47 EDT 2008


The same question again and again

As a Zope user I prefer to know as soon as possible if Zope has security
problems like those

Perhaps the correct way will be to send the problem to the zope people and 2
weeks later then make it public

I think 2 weeks is a very correct period to solve a problem if not, I want
to try to solve the problem for myself

But I shout my mouth, sorry Andreas ;)

2008/8/12 Andreas Jung <lists at zopyx.com>

> *sigh*
>
> I wished that both exploits were reported to the Zope bugtracker in order
> to work on solutions before making the exploits public.
>
>
> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal at egenix.com>
> wrote:
>
>  Hello,
>>
>
>
>
>
>> 1. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> return 'kaboom'.encode('test.testall')
>>
>> This results in a denial-of-service, since Zope will hang
>> running the Python test suite.
>>
>> The reason for this is a problem in the way the encoding search
>> function works in Python 2.4. This was changed in 2.5 to no longer
>> allow searching for codecs outside the encodings package.
>>
>
> That's pretty obscure behavior of Python 2.4...anyway.
>
>
>
>>
>> 2. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> raise SystemExit
>>
>> This shuts down Zope.
>>
>> The Python Script environment should obviously catch such exceptions
>> and not let them propagate up the call stack.
>>
>>
> See the followup on
>
> <https://bugs.launchpad.net/zope2/+bug/257269>
>
> There is a patch available that solves the problem.
>
> Andreas
>
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>
>


-- 
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20080812/437da98b/attachment.html 


More information about the Zope mailing list