[ZPT] Calling complex product tags from ZPT

J C Lawrence claw@kanga.nu
Fri, 12 Jul 2002 00:06:26 -0700


On Sun, 07 Jul 2002 18:56:30 +0200 
j-david  <ISO-8859-1> wrote:
> J C Lawrence wrote:

> Look at /usr/lib/zope/lib/python/Products, is there any hotfix?  They
> patch Zope, I already had a problem with one of them and Localizer.

They apply two hotfixes.  I've quoted the patch segment below:

--<cut>--
--- zope-2.5.1.orig/lib/python/Products/Hotfix_2002-06-14/__init__.py
+++ zope-2.5.1/lib/python/Products/Hotfix_2002-06-14/__init__.py
@@ -0,0 +1,44 @@
+##############################################################################
+#
+# Copyright (c) 2002 Zope Corporation and Contributors. All Rights Reserved.
+# 
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.0 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+# 
+##############################################################################
+
+HOTFIX_ID = 'Hotfix_2002-06-14'
+
+apply_hotfix = 0
+try:
+    from App.Hotfixes import beforeApplyHotfix
+    # Require Zope 2.x.x.
+    apply_hotfix = beforeApplyHotfix(HOTFIX_ID, 2, 0, 0)
+except ImportError:
+    # No hotfix module exists yet.
+    apply_hotfix = 1
+    from zLOG import LOG, INFO
+    LOG('Hotfix', INFO, 'Applying %s.' % HOTFIX_ID)
+    
+if apply_hotfix:
+    from Globals import InitializeClass
+    
+    # Check for Plug-in index support
+    try:
+        from Products.ZCatalog.ZCatalogIndexes import ZCatalogIndexes
+    except ImportError:
+        from zLOG import LOG, WARNING
+        LOG('Hotfixes', WARNING, 'Cannot apply %s. This Zope installation '
+            'does not support plug-in indexes, and does not need this fix. '
+            'Please uninstall the hotfix product.' % HOTFIX_ID)
+    else:
+        # Make sure that users have the proper permission to directly
+        # access the indexes of a ZCatalog\
+        ZCatalogIndexes.__ac_permissions__ = \
+            ZCatalogIndexes.__ac_permissions__ + \
+            (('Manage ZCatalogIndex Entries', ('',)),)
+        InitializeClass(ZCatalogIndexes)
--- zope-2.5.1.orig/lib/python/Products/Hotfix_2002-06-14/README.txt
+++ zope-2.5.1/lib/python/Products/Hotfix_2002-06-14/README.txt
@@ -0,0 +1,20 @@
+Hotfix_2002-06-14
+
+  This is a "hotfix" product. Hotfix products can be installed to 
+  incorporate modifications to Zope at runtime without requiring an
+  immediate installation upgrade. Hotfix products are installed 
+  just as you would install any other Zope product.
+
+  This hotfix addresses an important security issue that affects
+  users of Zope versions 2.4.0 through 2.5.x (or other Zope versions
+  with ZCatalog's plug-in index support installed)
+
+  The issue involves the security of the indexes of ZCatalog
+  objects. A flaw in the security settings of ZCatalog allows
+  anonymous users to call arbitrary methods of catalog indexes. The
+  vulnerability also allows untrusted code to do the same.
+
+  We highly recommend that any Zope site running Zope 2.4.0 through
+  Zope 2.5.x have this hotfix product installed to mitigate the
+  issue. Zope 2.6 will contain a fix for the issue, at which time
+  the hotfix can be removed.
--<cut>--

I've not yet researched the details of plug-in indexes with ZCatalogs...

> The simplest test is:

>   <div metal:use-macro="widgets/calendar" />

Fails here.

> I use a really primitive way to debug, which is enough most of the
> time. Just modify NuxWidgets to output a message in the right
> places. For example, in NuxWidgets.__init__.py, add the following line
> at the beginning of pt_getContext:

>   open('/tmp/kk', 'w').write('pt_getContext from NuxWidgets\n')

<nod>

I'll be doing that next.

> But I also suggest to set up a new installation from a Zope binary
> (without the CMF, etc.., only with the required stuff), and see if it
> works or not. It takes 5 minutes.

Yup, just checked out a CVS tree.

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.