[Zope3-Users] Security alert: use of Through-the-Web
fairwinds at eastlink.ca
Tue Jul 18 14:55:01 EDT 2006
Hi Jim. I was noticing a 0.4.0-zope in distutils that looks patched with
NotImplementedErrors for the offending code in
docutils.parsers.rst.directives.misc. Can you when this will land in
the Zope3 trunk?
Jim Fulton wrote:
> On Jul 8, 2006, at 11:49 AM, David Pratt wrote:
>> Jim Fulton wrote:
>>> Recently, a serious security flaw was found in Zope 2 due to it's
>>> improper support for allowing reStructuredText to be edited
>>> through-the-web. reStructuredText has directives that allow
>>> inclusion of any file a Zope process could read and inclusion of data
>>> obtained from fetching arbitrary URLs. In a trusted environment,
>>> these directives have legitimate uses. The feature of including
>>> files and URL results should not be enabled for text entered from
>>> untrusted sources, which applies to most through-the-web interactions.
>> Hi Jim. In the case of a wiki, it is the nature of a wiki that folks
>> are able to edit through the web.
> But a wiki can be edited in other formats that restructured text.
> (Personally, I think
> wikis should use tools like Epoz or Kupu to allow direct HTML editing, but
> that's a different matter.
>> Wouldn't data validation and any necessary alterations to the
>> directives some sense as opposed to removing it from the zope3 mix?
> Sure, if someone is willing to do it and take responsibility. Note that
> I'm not removing these from the release, because they've never been in
> the release. I didn't even remove them from the repository, I just
> removed them from the Zope 3 tree.
> I'm convinced that TTW reST can be safe with suitable attention to detail.
> So far though, that hasn't happened. No one has come forward yet and said
> "I'll maintain this and be responsible for making sure we're secure wrt
>>> The recent hotfix:
>>> addresses the problem for Zope 2.
> Perhaps. We don't know for sure. We don't have tests. We don't know if
> it can
> be defeated using a reload product. It is also a very crude fix. It
> prevents people
> from creating add-ons that make legitimate use of file-inclusion or the raw
> directive. It was a great fix in an emergency -- and this was a serious
> but I don't want to use such a fix in Zope 3.
>>> It is safe to allow reStructuredText through the web with care. The
>>> inclusion of files or URL results can be disabled, but the programmer
>>> must explicitly disable the feature. It is not disabled by default.
>>> It is also critical that a developer who exposes through-the-web
>>> reStructuredText have tests to verify that the file/url inclusion
>>> feature has been disabled.
>>> Zope 3 itself, as released, doesn't have this problem because it
>>> doesn't allow reST entry through the web. There are third-party
>>> applications, however, including 2 packages in the Zope 3 subversion
>>> tree that do have this problem. I strongly urge you to avoid using
>>> any Zope package that allows through-the-web input of
>>> reStructuredText unless you can verify that file/url has been
>>> properly disabled.
>>> The zwiki and bugtracker packages do not currently disable file/url
>>> inclusion and should not be used in situations in which users who are
>>> not highly trusted have access to these applications.
>> Can you be explicit about the process of disabling file/url inclusion
>> for zope3 (if this is the critical point you are making ). The use of
>> restructured text is valuable in zope and obviously it is important to
>> understand security measures that would allow its continued use.
> The reStructuredText documentation gives instructions for disabling it.
> But something this risk needs people to be responsible. I'm not seeing
> that. I expect someone to come forward eventually. Part of being
> responsible is writing reasonably extensive tests.
>> If this can be done, why remove the products from the repository tree?
>> Would it not be better to apply the necessary fixes? Many thanks.
> Because their presence in the Zope 3 tree put people at serious risk.
> If someone
> wants to work on them, great, and they can release them as add-on packages.
> Jim Fulton mailto:jim at zope.com Python Powered!
> CTO (540) 361-1714 http://www.python.org
> Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope3-users