The same question again and again

As a Zope user I prefer to know as soon as possible if Zope has security problems like those

Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public

I think 2 weeks is a very correct period to solve a problem if not, I want to try to solve the problem for myself

But I shout my mouth, sorry Andreas ;)

2008/8/12 Andreas Jung <lists@zopyx.com>

*sigh*

I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.

--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal@egenix.com> wrote:

Hello,

1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.

That's pretty obscure behavior of Python 2.4...anyway.

2. Attack:

Put this into a "Script (Python)" object and run it:

raise SystemExit

This shuts down Zope.

The Python Script environment should obviously catch such exceptions
and not let them propagate up the call stack.

See the followup on

<https://bugs.launchpad.net/zope2/+bug/257269>

There is a patch available that solves the problem.

Andreas

_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

--
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670