Security of a Web Application in Zope
Hello All, We've been working with Zope on a few projects, and have come to realize that our development methodology has left some wide gaps in security. Let me demonstrate with an example: The project heirarchy basically looks like this: /root index.html otherfiles.html /queries all Z SQL Methods /scripts all python scripts The problem as I percieve it is that you can feed my Z SQL Methods and python scripts any input you want if you know what they are called. This is bad. Security via Obscurity is not secure. I *thought* that perhaps I could revoke all rights to Anonymous from the methods and scripts, and then give them to Owner, and Proxy Role the .html files to Owner, but that seems to block inter-script and script-to-query calls. I would have to Proxy Role every object, of which there is no easy interface to do so. Anyone with better thoughts on securing my scenario? (Or, indeed, if I need to turn my scenario on its head?) Ed
On Wed, 2003-09-24 at 10:32, Edward Pollard wrote:
The project heirarchy basically looks like this:
/root index.html otherfiles.html /queries all Z SQL Methods /scripts all python scripts
The problem as I percieve it is that you can feed my Z SQL Methods and python scripts any input you want if you know what they are called.
Assuming you haven't taken any measures to prevent that, yes.
This is bad. Security via Obscurity is not secure.
Sure isn't.
Anyone with better thoughts on securing my scenario? (Or, indeed, if I need to turn my scenario on its head?)
Instead of grouping your objects by *type* you should group them by *permissions* such that traversing further into the hierarchy enforces increasingly strict permissions. Read the Zope Book chapter on security, come up with some roles that describe your different functional groups and configure your objects to only respond to the roles you want using them. http://zope.org/Documentation/Books/ZopeBook/2_6Edition/Security.stx HTH, Dylan
Edward Pollard wrote at 2003-9-24 11:32 -0600:
... Let me demonstrate with an example: The project heirarchy basically looks like this:
/root index.html otherfiles.html /queries all Z SQL Methods /scripts all python scripts
... I *thought* that perhaps I could revoke all rights to Anonymous from the methods and scripts, and then give them to Owner, and Proxy Role the .html files to Owner, but that seems to block inter-script and script-to-query calls. I would have to Proxy Role every object, of which there is no easy interface to do so.
Anyone with better thoughts on securing my scenario? (Or, indeed, if I need to turn my scenario on its head?)
Someone else already suggested that grouping by type is not the best approach for Zope... When you want to prevent activation by ZPublisher, then there is some product "TraversableFolder" (or something similar) that allows you to control traversal through the folder. I think, you can specify that only traversal from local intranet addresses are possible. A similar effect can be achieved with a SiteAccess AccessRule on the folder. Dieter
participants (3)
-
Dieter Maurer -
Dylan Reinhardt -
Edward Pollard