RE: [Zope] Securing Zope and Special URLs
Jamie Heilman wrote: [Zope Security is an oxymoron]
3) Never use DTML.
Why? Also, one other thing -- we're doing the standard thing with database connections -- having zsql methods call zodbc connectors; aforementioned connectors are defined with the username/password needed to connect to the DB. Is it possible to either have the password dealt with dynamically (supplied by whatever it is that's calling the zsql method) and/or obscured somehow? -roy Content-Type: text/plain; charset="iso-8859-1" ------------------------------------------------- PLEASE READ THIS WARNING: All e-mail sent to or from this address will be received or otherwise recorded by the Fisher Investments corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient.
On Wed, 2003-09-10 at 16:46, Roy Rapoport wrote:
Jamie Heilman wrote: [Zope Security is an oxymoron]
3) Never use DTML.
Why?
Because DTML offends some Zope users' sense of aesthetics, that's why. What... you need a reason besides that? :-) IMO, DTML is a perfectly good templating language as long as that's all you use it for. It isn't ASP. When you use logic more complex than "if X, print Y" you should probably be using Python. For my money, TAL provides almost no major advantage over DTML except that it breaks before you get into trouble using it for too much logic. For those of us who are grown ups and can be trusted to use tools correctly, DTML is a perfectly valid choice. As for Zope being unsecurable. Well, in some sense, everything is. That doesn't mean it's not worth doing what you can. My top ten tips for securing Zope: 1. Run it behind Apache 2. SSL-secure your ZMI* 3. Disable all non-web Zope services (FTP, WebDAV) 4. Run different customers on different instances. 5. Block all ports besides 80 and whatever else is essential 6. Plan security carefully and enforce minimum privileges. 7. Examine default Folder permissions. 8. Audit your logs 9. Add Zope (!=/var/*) to your IDS scan. You *are* running an IDS, yes? 10.Harden your server and enforce secure operating policies. * It is difficult to exhaustively detect "management" methods with a rewrite rule. It is easy, however, to set up an SSL-secured vhost called manage.domain.com. This provides admins with an easy way of knowing that they are using secure logins. Disable unsecured access to /manage just to make sure nobody forgets. HTH, Dylan
Dylan Reinhardt wrote:
On Wed, 2003-09-10 at 16:46, Roy Rapoport wrote:
Jamie Heilman wrote: [Zope Security is an oxymoron]
3) Never use DTML.
Why?
Because DTML offends some Zope users' sense of aesthetics, that's why.
It goes beyond that. DTML is a stack of namespaces, and more often than not the end results are unpredictable. The ZMI, largely made up of DTMLFile objects, is painfully susceptible to abuse, for example: drop an object called URL or URL1 or BASEPATH1 into your zodb, then try to manage objects at the same level, but notice how everything breaks... thats DTML in a nutshell. Now, its not that DTML is impossible to write such that the expected results are always realized, its that very few people, including ZC, bother to do so because it means heavy use of fully qualified variables, which are frequently inconvienent and appear overly verbose. (you end up with a lot of "<dtml-var REQUEST.BASEPATH1 html_quote>" instead of "&dtml-BASEPATH1;"). By now folks have mostly learned that explicit qualification is prefered to implicit qualification, and its not simply a matter of aesthetics at stake, but rather a matter of predictability and sanity at even the most basic levels of authorship. DTML was an interesting experiment in contextual namespace collusion, it failed, and now we have ZPT. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
Dylan Reinhardt wrote at 2003-9-10 17:41 -0700:
On Wed, 2003-09-10 at 16:46, Roy Rapoport wrote:
Jamie Heilman wrote: [Zope Security is an oxymoron]
3) Never use DTML.
Why? ... For my money, TAL provides almost no major advantage over DTML except that it breaks before you get into trouble using it for too much logic.
It does automatic HTML quoting on dynamic content (unless you use "structure") and therefore provides more protection against cross scripting attacks. Dieter
participants (4)
-
Dieter Maurer -
Dylan Reinhardt -
Jamie Heilman -
Roy Rapoport