[zope2-tracker] [Bug 490514] Re: XSS Vulnerability in ZMI

Tres Seaver tseaver at palladion.com
Mon Nov 30 18:08:36 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven L Smith wrote:
> ** Attachment added: "Screenshot of the problem"
>    http://launchpadlibrarian.net/36268764/xss_in_zope.jpg
> 
> ** Visibility changed to: Public
> 

 status confirmed
 assigned tseaver

This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles.  Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::

  <h1 tal:replace="structure here/manage_page_header">HEADER</h1>
  <h1 tal:replace="structure here/manage_tabs">TABS</h1>
  ...
  <h1 tal:replace="structure here/manage_page_footer">FOOTER</h1>

In this case, the code in the call_with_ns function (in
Products.PageTemplates.ZRPythonExpr) fails to ensure that "tainting"
is preserved.

The attached patch adds a test for this case and fixes the bug.  I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksUUGoACgkQ+gerLs4ltQ7OzQCbBZ/WTM0C5kfRmEnYzxnIu4ns
Bd4AoNtahkj6k9Xek1De5H51HmCN2cux
=yIGq
-----END PGP SIGNATURE-----


** Attachment added: "lp490514-zpt_calling_dtml_preserve_tainting.patch"
   http://launchpadlibrarian.net/36272448/lp490514-zpt_calling_dtml_preserve_tainting.patch

** Changed in: zope2
       Status: New => Confirmed

-- 
XSS Vulnerability in ZMI
https://bugs.launchpad.net/bugs/490514
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.


More information about the zope2-tracker mailing list