I discovered a potential problem with ZPublisher, External Methods and Zope XML-RPC. Let's say you write an external method in Python, and you want to call it via XML-RPC. To make life more interesting, pretend you need access to 'self'. If you call an external method from ZPublisher (instead of calling it from DTML), you can't specify 'self' as your first parameter. Instead, you must specify it as your last parameter. Unfortunately, the user can pass a bogus 'self' parameter to your Python method, and possibly subvert any security checks you've provided (many such checks rely on 'self' in some fashion). Short Term Workaround --------------------- Access an attribute on self. Since no XML-RPC data types seem to support attributes, this should provide a small measure of security. def deliverNews(foo, self): # CAREFUL - Zope is sloppy about passing 'self' to external methods. # ZPublisher will only pass you a self argument if you leave an extra # parameter at the end of your parameter list and call it 'self'. # Unfortunately, a sneaky user could pass one extra parameter when # calling this function and give us a bogus value of self. To prevent # problems, we must double-check that self isn't some sort of XML-RPC # object. We can do that by accessing an attribute. REQUEST = self.REQUEST return foo Possible Fix? ------------- ZPublisher should probably work more like DTML rendering. In particular, it should check for a first parameter named 'self' and pass an appropriate object. Would this break something else in a complicated fashion? Cheers, Eric
Eric Kidd wrote:
I discovered a potential problem with ZPublisher, External Methods and Zope XML-RPC. Let's say you write an external method in Python, and you want to call it via XML-RPC.
To make life more interesting, pretend you need access to 'self'. If you call an external method from ZPublisher (instead of calling it from DTML), you can't specify 'self' as your first parameter. Instead, you must specify it as your last parameter.
Unfortunately, the user can pass a bogus 'self' parameter to your Python method, and possibly subvert any security checks you've provided (many such checks rely on 'self' in some fashion).
Short Term Workaround ---------------------
Access an attribute on self. Since no XML-RPC data types seem to support attributes, this should provide a small measure of security.
def deliverNews(foo, self): # CAREFUL - Zope is sloppy about passing 'self' to external methods. # ZPublisher will only pass you a self argument if you leave an extra # parameter at the end of your parameter list and call it 'self'. # Unfortunately, a sneaky user could pass one extra parameter when # calling this function and give us a bogus value of self. To prevent # problems, we must double-check that self isn't some sort of XML-RPC # object. We can do that by accessing an attribute. REQUEST = self.REQUEST return foo
Possible Fix? -------------
ZPublisher should probably work more like DTML rendering. In particular, it should check for a first parameter named 'self' and pass an appropriate object. Would this break something else in a complicated fashion?
I just checked in a fix exactly along these lines. It will be in 2.0 final. It shouldn't break anything that doesn't already need to be broken. ;) Jim -- Jim Fulton mailto:jim@digicool.com Python Powered! Technical Director (888) 344-4332 http://www.python.org Digital Creations http://www.digicool.com http://www.zope.org Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email address may not be added to any commercial mail list with out my permission. Violation of my privacy with advertising or SPAM will result in a suit for a MINIMUM of $500 damages/incident, $1500 for repeats.
participants (2)
-
Eric Kidd -
Jim Fulton