Oliver Bleutgen wrote:
And let me thank you for that, IMO you do a very important service for the zope community. Unfortunately it seems that unless there is a major flaw found, there's not much interest in this kind of security analysis.
Thanks! I have to say I too don't understand the perfunctory attitude towards security in Zope. I've pointed out numerous avenues for cross site scripting, which even when patched, thanks to the misplacement of trust, allow poisoning of caches with false hostnames, URIs, etc. Even finding out if a page uses a cache manager is trivial, thanks to the unprotected method of ZCacheable_getURL in the ZCacheable mix-in. (which is fixed in my reworked version see bug 911) My point is, you combine enough of these things together and you can start to build a pretty effective attack against a Zope host.
At least with VHM, I think the solution is straightforward. Abandon the path for forwarding information to zope, and use custom http-headers instead. VHM then would delete these headers on traversal (to hide that information from not-so-trusted code inside zope).
This solution would not only be more secure, it would also simplify the VHM code alot, and it would certainly be faster.
Yeah I think you're right, the extra header occured to me too, I haven't hammered out any code yet (too busy updating the patchwork for 813) but its on my list. Now, while I think a new header is a good stop-gap I don't think its a permanent solution. The probablem of no canonical host name is still source of pain in zope and I have a hunch a long term solution will solve both problems at once, as well as be safe to use on a multi-user machine with potentially hostile accounts. I don't yet know what that solution might look like though. -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz