[ZCM] [ZC] 865/ 5 Resolve "DTML security issue with . traversal"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Tue Jan 20 09:22:24 EST 2004
Issue #865 Update (Resolve) "DTML security issue with . traversal"
** Security Related ** (Public)
Status Resolved, Zope/bug critical
To followup, visit:
http://zope.org/Collectors/Zope/865
==============================================================
= Resolve - Entry #5 by Brian on Jan 20, 2004 9:22 am
Status: Pending => Resolved
resolved for 2.6.4 / 2.7.0 rc1
-BL
________________________________________
= Resubmit - Entry #4 by efge on Jul 11, 2003 4:28 am
Status: Resolved => Pending
Reopening by request.
________________________________________
= Comment - Entry #3 by leper on Jul 10, 2003 8:20 pm
I think this issue was resolved prematurely. There is something
strange going on w/DTML and security. On irc the other day JT was
having some issues with DTMLDocument's being viewable even though
the View permission was restricted. This is reproducable:
Create a folder /foo with View granted to Anonymous
Create a dtml method /foo/index_html with content:
<hr/><dtml-var content><hr/>
... (/foo/index_html may be a page template if you prefer) ...
Create a dtml method /foo/content with content:
"foo's content"
Create a folder /foo/bar with View restricted to Authenticated
Create a page template, script, dtml method, or file /foo/bar/content
Visit /foo/bar/content; witness 401
Visit /foo/bar/; witness 401
Visit /foo/; witness 200: "foo's content"
... so far so good ...
Replace /foo/bar/content with a dtml document with content:
"bar's content"
Visit /foo/bar/content; witness 401
Visit /foo/bar/; witness 200: "bar's content" !!!
Visit /foo/; witness 200: "foo's content"
Talking with kosh on irc its clear he wasn't using DTMLFile either and as such on-disk dtml wasn't the culprit.
This is present in 2.6.1 and reproducable using CVS HEAD as of this posting too.
________________________________________
= Resolve - Entry #2 by ShaneH on May 2, 2003 10:21 am
Status: Pending => Resolved
DTML loaded from the filesystem does not pass through security checks at all. This is by design. I suggest you either use page templates loaded from the filesystem, which *do* enforce security, or you just write your DTML very carefully.
________________________________________
= Request - Entry #1 by kosh on Mar 24, 2003 12:34 pm
I am having a problem where DTML is allowing access to an attribute of an object that restrictedTraverse and regular . notation denies from a python script.
I have a python product and I have the security.setDefaultAccess('deny') so that items inside there without security declarations can't be called and this works for url traversal, restrictedTraverse and getting to the object via python scripts in that access is denied but dtml can get right in which is a problem.
Lets say I have container foo with object bar in an and inside bar an object which should not be allowed accessed.
<dtml-var "foo.bar.shouldnotwork"> gives the value of shouldnotwork
however
<dtml-var "restrictedTraverse('foo/bar/shouldnotwork')'> gives access denied
and from a python script
return context.foo.bar.shouldnotwork gives an access denied also which is what I expect.
For a ZPT object I get the same result of access being denied for
<span tal:replace="here/foo/bar/shouldnotwork"></span>
Thus I suspect the problem is with DTML somewhere but I am not sure where. However I could also be doing something wrong in my python product but currently I can no imagine what would allow that dtml to do it but nothing else.
The variable shouldnotwork is just a string that is stored in object bar.
==============================================================
More information about the Zope-Collector-Monitor
mailing list