Hi, I've just been reading an interesting article on XML-RPC which lead me to try something and ask some questions... If you go to http://www.zope.org/title_or_id you get the result of the title_or_id method. The same is true of the manage method and the REQUEST method. Me being paranoid, this makes me wonder whether there are any 'bad' methods that could be executed in this way, without any security authorization? Again, being paranoid, how would you got about turning off the title_or_id or REQUEST methods, or at least requiring authorisation to use them? (While of course leaving it possible for DTML methods and the like within the site to call them) Finally, if you had a DTML document, method or image, etc, called title_or_id or manage, how would you go about getting the one you want, either the document or the result of calling the method? cheers for any help, confusedly, Chris
----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Zope Mailing List" <zope@zope.org> Sent: Monday, February 07, 2000 10:30 AM Subject: [Zope] Newbie Security Query
If you go to http://www.zope.org/title_or_id you get the result of the title_or_id method. The same is true of the manage method and the REQUEST method. Me being paranoid, this makes me wonder whether there are any 'bad' methods that could be executed in this way, without any security authorization?
There's nothing *very* bad that can be executed without permission. "objectIds" is questionable.
Again, being paranoid, how would you got about turning off the title_or_id or REQUEST methods, or at least requiring authorisation to use them? (While of course leaving it possible for DTML methods and the like within the site to call them)
I don't know that there is any way to do so. I don't think the security machinery differentiates between things called from the web directly and called from DTML (though it is only through my observations that I say this, I haven't looked at that part of the code).
Finally, if you had a DTML document, method or image, etc, called title_or_id or manage, how would you go about getting the one you want, either the document or the result of calling the method?
Hmmm... I don't think I'd be brave enough to name something "manage" :) Kevin
There's nothing *very* bad that can be executed without permission. "objectIds" is questionable.
Okay, now I'm getting nervous... what not-so-bad things can you do?! (going to http://www.zope.org/text_content brought up a very disturbing screen...)
I don't know that there is any way to do so. I don't think the security machinery differentiates between things called from the web directly and called from DTML (though it is only through my observations that I say this, I haven't looked at that part of the code).
I wonder if anyone at DC could help out here? My wish-list would be to be able to differentiate in a convenient manner between stuff publicly available and stuff that isn't. To generalise this further, I'd love to be able to assign the usability of a method or access to an object on a role basis, with special roles including 'anonymous' for public access and 'system' for calls from other objects. Kindof like putting public: and private: in a C++ or Java class, but with finer control.
Hmmm... I don't think I'd be brave enough to name something "manage" :)
Okay, this isn't a problem, because if you try and create one, you get told the id is invalid because it is already in us :-) Well, hope people can help, Chris
----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "Zope Mailing List" <zope@zope.org> Sent: Monday, February 07, 2000 11:37 AM Subject: Re: [Zope] Newbie Security Query
There's nothing *very* bad that can be executed without permission. "objectIds" is questionable.
Okay, now I'm getting nervous... what not-so-bad things can you do?! (going to http://www.zope.org/text_content brought up a very disturbing screen...)
I didn't mean to scare you. I have confidence in Zope's security and what an anonymous person can and can't do. When I said there's "nothing *very* bad", I meant that not everyone would prefer if something like "objectIds" works as it does. But, in truth, it's not really a security hazard. You should just be aware that "security through obscurity" (trying to make methods that are secure just because they have difficult to guess names) definitely is not a good way to go. As for text_content, I don't think that's a "standard" method. Zope.org has some features on it designed to make it a somewhat open book, so that people can learn from it. I don't think there is any way for someone to get at your source code in the current version of Zope without you actually making that possible.
I wonder if anyone at DC could help out here? My wish-list would be to be able to differentiate in a convenient manner between stuff publicly available and stuff that isn't. To generalise this further, I'd love to be able to assign the usability of a method or access to an object on a role basis, with special roles including 'anonymous' for public access and 'system' for calls from other objects. Kindof like putting public: and private: in a C++ or Java class, but with finer control.
I think you can set this up yourself, through extensive use of proxy roles. If you have a method that you don't want to be callable through the web, you can make it require a role of "System". Then, any method you write that needs to use it could have a proxy role of "System". Kevin
participants (2)
-
Chris Withers -
Kevin Dangoor