All, I've got a sneaking suspicion that there are some security problems in Zope 2.3.x. I've been trying to make a simple testcase and would like other (better) minds than mine to look at it. I have an external method which looks like: class c: def __init__(self,a): self.score=a self.test=a*a def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'. The external method 't' is also very simple, it just returns an array of class 'c'. The dtml-method I'm using to access this array is as follows: <dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer> Nothing earth shattering there either. BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method: (note that a authentication login box is presented but NO user name is able to authenticate) Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard. Anyone got any ideas? Cos this is doin my f'in ed in man?!?!?!?!?!? Phil phil.harris@zope.co.uk
Hi Phil, Defining classes in external methods is... an interesting experience. I don't recommend it. It gets tricky because the file that external methods are defined in isn't actually a Python module, so interpreting the behavior is hard. That said, the security chapter of the developer's guide goes in to this a little (http://www.zope.org/Documentation/ZDG/Security.dtml). The problem is that the instances you're putting in the array don't have any security declarations, therefore access to them is denied (raising the unauthorized). The fix for this is to add security declarations to the class, e.g (untested): from AccessControl import ClassSecurityInfo from Globals import InitializeClass class c: security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def __init__(self,a): self.score=a self.test=a*a def t(self): retval=[] for a in range(1,10): inst = c(a) if not hasattr( InitializeClass(c) # its dumb to do this every time. retval.append(c(a)) return retval If this doesn't work for some reason (setDefaultAccess was broken in at least one Zope release), try to define the class c like so: class c: __allow_access_to_unprotected_subobjects__ = 1 def __init__(self,a): self.score=a self.test=a*a ----- Original Message ----- From: Phil Harris To: zope@zope.org Sent: Wednesday, May 09, 2001 10:08 AM Subject: [Zope] Security Problems? All, I've got a sneaking suspicion that there are some security problems in Zope 2.3.x. I've been trying to make a simple testcase and would like other (better) minds than mine to look at it. I have an external method which looks like: class c: def __init__(self,a): self.score=a self.test=a*a def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'. The external method 't' is also very simple, it just returns an array of class 'c'. The dtml-method I'm using to access this array is as follows: <dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer> Nothing earth shattering there either. BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method: (note that a authentication login box is presented but NO user name is able to authenticate) Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard. Anyone got any ideas? Cos this is doin my f'in ed in man?!?!?!?!?!? Phil phil.harris@zope.co.uk
Ignore the if not hasattr( in the t method below, sorry! ----- Original Message ----- From: "Chris McDonough" <chrism@digicool.com> To: "Phil Harris" <phil.harris@zope.co.uk>; <zope@zope.org> Sent: Wednesday, May 09, 2001 10:41 AM Subject: Re: [Zope] Security Problems?
Hi Phil,
Defining classes in external methods is... an interesting experience. I don't recommend it. It gets tricky because the file that external methods are defined in isn't actually a Python module, so interpreting the behavior is hard.
That said, the security chapter of the developer's guide goes in to this a little (http://www.zope.org/Documentation/ZDG/Security.dtml). The problem is that the instances you're putting in the array don't have any security declarations, therefore access to them is denied (raising the unauthorized). The fix for this is to add security declarations to the class, e.g (untested):
from AccessControl import ClassSecurityInfo from Globals import InitializeClass
class c: security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): inst = c(a) if not hasattr( InitializeClass(c) # its dumb to do this every time. retval.append(c(a)) return retval
If this doesn't work for some reason (setDefaultAccess was broken in at least one Zope release), try to define the class c like so:
class c: __allow_access_to_unprotected_subobjects__ = 1 def __init__(self,a): self.score=a self.test=a*a
----- Original Message ----- From: Phil Harris To: zope@zope.org Sent: Wednesday, May 09, 2001 10:08 AM Subject: [Zope] Security Problems?
All,
I've got a sneaking suspicion that there are some security problems in Zope 2.3.x.
I've been trying to make a simple testcase and would like other (better) minds than mine to look at it.
I have an external method which looks like:
class c: def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval
The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'.
The external method 't' is also very simple, it just returns an array of class 'c'.
The dtml-method I'm using to access this array is as follows:
<dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer>
Nothing earth shattering there either.
BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method:
(note that a authentication login box is presented but NO user name is able to authenticate)
Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score
All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard.
Anyone got any ideas?
Cos this is doin my f'in ed in man?!?!?!?!?!?
Phil phil.harris@zope.co.uk
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Chris, Thanks for the advice but something doesn't scope: The '__allow_access_to_unprotected_subobjects__ = 1' hack doesn't work in this case for some reason. That was one of the things I'd tried before sending the post. The other case does work in this instance but there is, to my mind, something still not ringing true. For example, using the ZPT stuff, if you put here/title as an output variable (similar to <dtml-var title>), you get the same unauthorized traceback as stated below. This means that the object doesn't have access to it's own properties, surely not! I'm not saying that there is a security hole in Zope, quite the opposite. Access is being denied to things that the current user should have access to. This has meant that I'm having to loosen security on some of my 'bits' to allow the user to see things correctly. This only started happening with 2.3.x (and maybe some of the betas). Zope 2.2.x did not to seem to have this problem. I've seen spurious mention of similar things over the last few months from other Zope users as well, but then I do feel slightly paranoid at the moment, maybe I'm just looking at the world through shitty colored glasses 8¬(. I will try and dredge some of these things up, either to fuel the fire or put it out. ;) If the above case doesn't cover it I'm going to have to find another test case, even if it's just to prove to myself that there is nothing wrong. ;) Thanks for the help. Phil ----- Original Message ----- From: "Chris McDonough" <chrism@digicool.com> To: "Phil Harris" <phil.harris@zope.co.uk>; <zope@zope.org> Sent: Wednesday, May 09, 2001 3:41 PM Subject: Re: [Zope] Security Problems?
Hi Phil,
Defining classes in external methods is... an interesting experience. I don't recommend it. It gets tricky because the file that external methods are defined in isn't actually a Python module, so interpreting the behavior is hard.
That said, the security chapter of the developer's guide goes in to this a little (http://www.zope.org/Documentation/ZDG/Security.dtml). The problem is that the instances you're putting in the array don't have any security declarations, therefore access to them is denied (raising the unauthorized). The fix for this is to add security declarations to the class, e.g (untested):
from AccessControl import ClassSecurityInfo from Globals import InitializeClass
class c: security = ClassSecurityInfo() security.declareObjectPublic() security.setDefaultAccess('allow') def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): inst = c(a) if not hasattr( InitializeClass(c) # its dumb to do this every time. retval.append(c(a)) return retval
If this doesn't work for some reason (setDefaultAccess was broken in at least one Zope release), try to define the class c like so:
class c: __allow_access_to_unprotected_subobjects__ = 1 def __init__(self,a): self.score=a self.test=a*a
----- Original Message ----- From: Phil Harris To: zope@zope.org Sent: Wednesday, May 09, 2001 10:08 AM Subject: [Zope] Security Problems?
All,
I've got a sneaking suspicion that there are some security problems in Zope 2.3.x.
I've been trying to make a simple testcase and would like other (better) minds than mine to look at it.
I have an external method which looks like:
class c: def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval
The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'.
The external method 't' is also very simple, it just returns an array of class 'c'.
The dtml-method I'm using to access this array is as follows:
<dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer>
Nothing earth shattering there either.
BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method:
(note that a authentication login box is presented but NO user name is able to authenticate)
Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score
All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard.
Anyone got any ideas?
Cos this is doin my f'in ed in man?!?!?!?!?!?
Phil phil.harris@zope.co.uk
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Folks, I'm experiencing trouble with ZCatalog in 2.3.2. I read all about upgrading from my working 2.3.0 catalog and thinking that maybe I futzed it, I just created a new catalog. I couldn't find any reports of sort_on problems except for some references to a 'FieldIndex' bug, that has already been squashed. Here's my situation, I have a bunch of cataloged objects and I want to sort on one of the fields. In 2.3.0 I would just set 'sort_on' in the REQUEST to be one of the 'FieldIndexed' attributes and it worked. When I upgraded to 2.3.2 (yesterday) it stopped working. I've managed to trace it down to the _indexedSearch call in the __call__ of Catalog. sort_index looks OK, but _indexedSearch goes through the index items and creates LazyMap objects, but they seem broken somehow: 656 raise CatalogError, ('Unknown sort_on index %s' % sort_index) 657 658 # Perform searches with indexes and sort_index 659 r=[] 660 used=self._indexedSearch(kw, sort_index, r.append, used) 661 -> if not r: 662 return LazyCat(r) 663 664 # Sort/merge sub-results 665 if len(r)==1: 666 if sort_index is None: r=r[0] (Pdb) print r [('aerosmith', [<mybrains instance at 8bb6340>]), ('albert finney', [<mybrains instance at 8bb6350>]), ('alfred hitchcock', [<mybrains instance at 8bb6360>]), ('beatles', *** TypeError: unsubscriptable object When _indexedSearch returns, the 'r' list is sunk, though what's there is sorted. ;-) I'm invoking the Catalog like so: <dtml-in "Catalog({}, sort_on='kArtist')"> <dtml-var Artist><br> </dtml-in> I don't have time right now to dig into why LazyMap is raising a TypeError, but I might later today. When I take out the sort_on, all the records are returned. Any ideas would be appreciated! thanks, -steve
For example, using the ZPT stuff, if you put here/title as an output variable (similar to <dtml-var title>), you get the same unauthorized traceback as stated below. This means that the object doesn't have access to it's own properties, surely not!
This *might* be a bug in ZPT... If I were you, I might try asking a question about this on the ZPT list... or maybe someone who knows lots about ZPT will stumble upon it here.
I'm not saying that there is a security hole in Zope, quite the opposite. Access is being denied to things that the current user should have access to. This has meant that I'm having to loosen security on some of my 'bits' to allow the user to see things correctly. This only started happening with 2.3.x (and maybe some of the betas). Zope 2.2.x did not to seem to have this problem.
If there's places in Zope where it's broken, we'd like to know... thanks! - C
Hi Phil, thats not a bug, its a feature :-) You need __allow_access_to_unprotected_subobjects__=1 somewhere in your class Regards Tino Wildenhain --On Mittwoch, 9. Mai 2001 15:08 +0100 Phil Harris <phil.harris@zope.co.uk> wrote:
All,
I've got a sneaking suspicion that there are some security problems in Zope 2.3.x. I've been trying to make a simple testcase and would like other (better) minds than mine to look at it. I have an external method which looks like:
class c: def __init__(self,a): self.score=a self.test=a*a
def t(self): retval=[] for a in range(1,10): retval.append(c(a)) return retval
The class 'c' is a very simple class, it has no methods and only two attributes/properties 'score' and 'test'. The external method 't' is also very simple, it just returns an array of class 'c'. The dtml-method I'm using to access this array is as follows:
<dtml-var standard_html_header> <dtml-in t> <dtml-var "_['sequence-item'].score"> </dtml-in> <dtml-var standard_html_footer>
Nothing earth shattering there either.
BUT, I get an unauthorized error raised with this traceback whenever I run this dtml-method: (note that a authentication login box is presented but NO user name is able to authenticate) Traceback (innermost last): File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply (Object: index_html) File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in call_object (Object: index_html) File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in __call__ (Object: index_html) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in renderwob (Object: t) File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in eval (Object: _['sequence-item'].score) (Info: _) File <string>, line 0, in ? File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate (Object: index_html) File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in validate File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in validate Unauthorized: score
All of this is run on a bog standard install of Zope 2.3.2 with no other products installed, no security changes done, REALLY bog standard.
Anyone got any ideas?
Cos this is doin my f'in ed in man?!?!?!?!?!?
Phil phil.harris@zope.co.uk
participants (4)
-
Chris McDonough -
Phil Harris -
Steve Spicklemire -
Tino Wildenhain