[zope2] Help needed with security checks and add views
Hi there, recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326. In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something. I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported <require set_schema=".." /> and <require set_attributes="..." /> on class directives. But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view ("+") has no working security declarations I can see, and only has such a non-functioning permission="zope2.ViewManagementScreens" set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views. Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case. Any help appreciated, Hanno
Am 26.06.2010, 18:24 Uhr, schrieb Hanno Schlichting <hanno@hannosch.eu>:
In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something.
I'm not sure about this affects only views. I have just checked a Zope 2.10 based site (with CMF) where pages are protected. They work as expected. More recent Zope 2.12 sites do not apply the same protection. For an example try /members_manage_form on a Zope 2.12.4 + CMF 2.1 site. ie. the error may not be in the way declarations are handled but in the exception handling. Charlie -- Charlie Clark Managing Director Clark Consulting & Research German Office Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-600-3657 Mobile: +49-178-782-6226
Hi. As a reminder: If nobody is able to help with this, I'll disable the insecure view registration in Zope2 and release new versions Tuesday 13th.
From my understanding of the code, Zope 2 itself is not vulnerable, as there's no registrations for IFactory utilities included. But in any system that has such registrations, anonymous users should be able to create any such content item in any location.
Hanno On Sat, Jun 26, 2010 at 6:24 PM, Hanno Schlichting <hanno@hannosch.eu> wrote:
recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326.
In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something.
I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported <require set_schema=".." /> and <require set_attributes="..." /> on class directives.
But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view ("+") has no working security declarations I can see, and only has such a non-functioning permission="zope2.ViewManagementScreens" set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views.
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.
Hi Hanno, On 27 June 2010 00:24, Hanno Schlichting <hanno@hannosch.eu> wrote:
Hi there,
recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326.
In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something.
I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported <require set_schema=".." /> and <require set_attributes="..." /> on class directives.
But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view ("+") has no working security declarations I can see, and only has such a non-functioning permission="zope2.ViewManagementScreens" set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views.
And Dexterity, I suggest.
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.
Why can't we just copy the relevant code from the browser:page directive? The ViewSecurityGrokker in http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163&view=au... may be useful reading too. It should be doing the same thing, no? Martin
On Thu, Jul 8, 2010 at 3:02 PM, Martin Aspeli <optilude+lists@gmail.com> wrote:
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.
Why can't we just copy the relevant code from the browser:page directive?
The ViewSecurityGrokker in http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163&view=au... may be useful reading too. It should be doing the same thing, no?
It seems you have some idea about this code, so are you volunteering to implement this? Since we are dealing with a disclosed real security vulnerability here, I need to have some resolution by next Tuesday. Either that is disabling the functionality or protecting it with some security. Hanno
On 9 July 2010 16:12, Hanno Schlichting <hanno@hannosch.eu> wrote:
On Thu, Jul 8, 2010 at 3:02 PM, Martin Aspeli <optilude+lists@gmail.com> wrote:
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.
Why can't we just copy the relevant code from the browser:page directive?
The ViewSecurityGrokker in http://svn.zope.org/five.grok/trunk/src/five/grok/meta.py?rev=112163&view=au... may be useful reading too. It should be doing the same thing, no?
It seems you have some idea about this code, so are you volunteering to implement this?
Possibly. I have client work that has to take priority right now.
Since we are dealing with a disclosed real security vulnerability here, I need to have some resolution by next Tuesday. Either that is disabling the functionality or protecting it with some security.
I'd appreciate it if someone who's getting more than four hours of sleep a night at the moment takes a stab. I'm happy to review/assist. Martin
On 27 June 2010 00:24, Hanno Schlichting <hanno@hannosch.eu> wrote:
Hi there,
recently MJ opened a security related bug and disclosed it to the public at https://bugs.launchpad.net/zope2/+bug/578326.
In short Zope 2 never supported the permission attribute on ZCML browser:view declarations. It seems some people might have specified this attribute and assumed it would do something.
I have added a warning message to Zope 2 (trunk + 2.12 branch) which warns about those cases. This is similar to how we handle other such cases like the unsupported <require set_schema=".." /> and <require set_attributes="..." /> on class directives.
But it turns out that Zope 2 itself is using this in one place, that looks like it ought to have a security declaration. The Products.Five.adding.ContentAdding class registered as an add view ("+") has no working security declarations I can see, and only has such a non-functioning permission="zope2.ViewManagementScreens" set. I'm not familiar enough with the add view concept to understand what this is doing. It also looks like both CMF and Plone use similar registrations for their add views.
Ideally I'd love to add support for the permission attribute, as clearly people have been using it. But if there's nobody who can figure out how to do that, I'd at least like to clarify the add view case.
Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now. Cheers, Martin
On Sat, Jul 10, 2010 at 12:14 PM, Martin Aspeli <optilude+lists@gmail.com> wrote:
Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now.
Awesome! You truly rock! Much appreciated, Hanno
On 10 July 2010 18:16, Hanno Schlichting <hanno@hannosch.eu> wrote:
On Sat, Jul 10, 2010 at 12:14 PM, Martin Aspeli <optilude+lists@gmail.com> wrote:
Fixed in r114488 (2.12 branch) and r114490 (trunk). I don't think I'm allowed to close the issue on Launchpad, but it should be fine now.
Awesome! You truly rock!
My powers of copy and paste and sharp, it must be said. :) Martin
participants (3)
-
Charlie Clark -
Hanno Schlichting -
Martin Aspeli