On Sun, 2001-08-26 at 06:32, Kyler B. Laird wrote:
On Sun, 26 Aug 2001 00:15:16 +0200 (CEST) you wrote:
Kyler B. Laird writes:
Looking around on Zope.org, I realized that this might already be addressed. Is there anything that prevents me (as a Zope community member with authoring privileges on zope.org) from luring users who have already authenticated with Zope.org to come look at my pages, and then running arbitrary commands with their privileges? Starting with Zope 2.2, the effective permissions are the intersection of that of the current user and that of the executable's owner. That implies, the authors cannot do thinks by highjacking visitors.
O.k., I appreciate that (lots!). However, I do not see what is stopping me from doing something nasty like...
1. Lure you to my page.
2. Check to see that you are authenticated. (My page wouldn't require it.)
3. If you are, grab your user name.
4. Create a URL for a Bad Thing (something with "manage_" in it pointed at your folder).
5. Generate a 1x1 (or whatever) <img> tag with that URL as the src value.
I haven't tried this, but even if it does not work now, I wonder what policy prevents it (and insures it will not work in future versions).
The policy that prevents it is the one that was told to you. *YOUR* content can only do what *you* have permission to do, period. The user browsing your stuff is 'executed' as *you*, not the user. Therefore, you could not do manage_<anything> that you did not already posess the capability to do. Period. If you already have that power, it is irrelevant.
Any clever thoughts?
The pre-existing Zope security machinery. Do a search on the Archives, and you will see all the raw details. Cheers, Bill