Re: [Zope] Script (Python) insecure ?
The same question again and again As a Zope user I prefer to know as soon as possible if Zope has security problems like those Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public I think 2 weeks is a very correct period to solve a problem if not, I want to try to solve the problem for myself But I shout my mouth, sorry Andreas ;) 2008/8/12 Andreas Jung <lists@zopyx.com>
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public.
--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal@egenix.com> wrote:
Hello,
1. Attack:
Put this into a "Script (Python)" object and run it:
return 'kaboom'.encode('test.testall')
This results in a denial-of-service, since Zope will hang running the Python test suite.
The reason for this is a problem in the way the encoding search function works in Python 2.4. This was changed in 2.5 to no longer allow searching for codecs outside the encodings package.
That's pretty obscure behavior of Python 2.4...anyway.
2. Attack:
Put this into a "Script (Python)" object and run it:
raise SystemExit
This shuts down Zope.
The Python Script environment should obviously catch such exceptions and not let them propagate up the call stack.
See the followup on
<https://bugs.launchpad.net/zope2/+bug/257269>
There is a patch available that solves the problem.
Andreas
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas http://blogs.sistes.net/Garito Zope Smart Manager http://blogs.sistes.net/Garito/670
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garito wrote:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security problems like those
Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public
I think 2 weeks is a very correct period to solve a problem if not, I want to try to solve the problem for myself
But I shout my mouth, sorry Andreas ;)
2008/8/12 Andreas Jung <lists@zopyx.com>
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public.
Right: we would just like time to investigate the problem so that we can announce the problem and the workaround / hotfix / new releases simultaneously. Two weeks would be longer than I would expect that process to take. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIobSh+gerLs4ltQ4RAor1AJ94e+J6HcSYQbYTNM0x+FhGHiUxygCeMk5N De3Ub0slW6p+DKJh3dRG+a8= =pA6g -----END PGP SIGNATURE-----
On 2008-08-12 18:04, Tres Seaver wrote:
Garito wrote:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security problems like those
Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public
I think 2 weeks is a very correct period to solve a problem if not, I want to try to solve the problem for myself
But I shout my mouth, sorry Andreas ;)
2008/8/12 Andreas Jung <lists@zopyx.com>
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public.
Right: we would just like time to investigate the problem so that we can announce the problem and the workaround / hotfix / new releases simultaneously. Two weeks would be longer than I would expect that process to take.
Next time, I'll post the report to the tracker and mark it private. I really didn't have any intention of making your work harder than it already is - I must admit that I wouldn't have thought of the issue being that important. OTOH, I do think that the PythonScript product will need some more security audit, esp. since the restricted environment safety belt checks are no longer being maintained in the Python interpreter code and will likely go away completely for Python 3.x. It may be better to remove the PythonScript product altogether and instead use ExternalMethods. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 12 2008)
Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611
--On 12. August 2008 19:38:16 +0200 "M.-A. Lemburg" <mal@egenix.com> wrote:
On 2008-08-12 18:04, Tres Seaver wrote:
Garito wrote:
The same question again and again
As a Zope user I prefer to know as soon as possible if Zope has security problems like those
Perhaps the correct way will be to send the problem to the zope people and 2 weeks later then make it public
I think 2 weeks is a very correct period to solve a problem if not, I want to try to solve the problem for myself
But I shout my mouth, sorry Andreas ;)
2008/8/12 Andreas Jung <lists@zopyx.com>
*sigh*
I wished that both exploits were reported to the Zope bugtracker in order to work on solutions before making the exploits public.
Right: we would just like time to investigate the problem so that we can announce the problem and the workaround / hotfix / new releases simultaneously. Two weeks would be longer than I would expect that process to take.
Next time, I'll post the report to the tracker and mark it private.
I really didn't have any intention of making your work harder than it already is - I must admit that I wouldn't have thought of the issue being that important.
OTOH, I do think that the PythonScript product will need some more security audit, esp. since the restricted environment safety belt checks are no longer being maintained in the Python interpreter code and will likely go away completely for Python 3.x.
It may be better to remove the PythonScript product altogether and instead use ExternalMethods.
My conclusion after almost 9 years with Zope: PythonScripts and trusted code was a good and nice feature in the "early days" of Zope. The future is clearly trusted code in all its flavors. RestrictedPython, through-the-web editing (ZMI) and stuff like ZClasses should die - however they must remain until the end of time - for the sake of compatibility. Andreas
+-------[ Andreas Jung ]---------------------- | | My conclusion after almost 9 years with Zope: PythonScripts and trusted | code was a good and nice feature in the "early days" of Zope. The future | is clearly trusted code in all its flavors. RestrictedPython, | through-the-web editing (ZMI) and stuff like ZClasses should die +oo -- Andrew Milton akm@theinternet.com.au
participants (5)
-
Andreas Jung -
Andrew Milton -
Garito -
M.-A. Lemburg -
Tres Seaver