Hi. As a reminder: If nobody is able to help with this, I'll disable the insecure view registration in Zope2 and release new versions Tuesday 13th.
From my understanding of the code, Zope 2 itself is not vulnerable, as there's no registrations for IFactory utilities included. But in any system that has such registrations, anonymous users should be able to create any such content item in any location.
Hanno On Sat, Jun 26, 2010 at 6:24 PM, Hanno Schlichting <hanno@hannosch.eu> wrote:
recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326.
In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something.
I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported <require set_schema=".." /> and <require set_attributes="..." /> on class directives.
But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view ("+") has no working security declarations I can see, and only has such a non-functioning permission="zope2.ViewManagementScreens" set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views.
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.