Now that we've reached closure on some of the outstanding security issues in Zope there's a lot of stuff in the Collector that needs to be revisited... Brian Lloyd wrote:
- For loops, list comprehensions, and other iterations in untrusted code - List and dictionary instance methods in untrusted code - Use of import as in untrusted code - Use of min, max, enumerate, iter, and sum in untrusted code - Broken binding validation in untrusted code - Unpacking in untrusted code - PythonScript class security not initialized properly - PropertyManager 'lines' and 'tokens' properties stored as list - Configuration file did not override security policy selection
AFAIK there weren't any public bugs related to these problems, except for maybe issue #28 which can probably be taken out of deferred status and placed into resolved now.
- Unicode passed to RESPONSE.write() could shutdown process
I could have sworn there was a bug report related to this but I can't find it now.
- XML-RPC instance marshaling may disclose protected values
issue #410, I can't comment on the effectiveness of this solution, I removed XML-RPC from my tree ages ago, I am currious if anyone has a test-case/exploit for this issue though
- DTML tag dtml-tree may allow DoS attack
issue #604 can be marked resolved now
- Potential cross-site scripting problem in default ZSearch interface
issue #734 can be marked resolved now
- Proxy rights on DTMLMethods transferred via acquisition
I believe this means issue #743 and issue #977 can be resolved now. Actually, #977 already was rejected IIRC but its never been marked as public which is rather irritating.
- Improper security assertions on DTMLDocument objects
probably fixes issue #865, but because Zope-HEAD doesn't actually run right now, due to a myriad of other bugs, I actually haven't tested it
- Inadequate security assertions on admin "find" functions
issue #1000 can be marked resolved now The patchset for 813's xss issues seems to have been partially applied. I still need to update my patch against HEAD for the xss holes that haven't been closed. I'll post an update to the collector when its ready. -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby