[ZCM] [ZC] 1247/ 2 Unrestrict "manage_form_title Security Patch
flawed"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Wed May 19 12:54:59 EDT 2004
Issue #1247 Update (Unrestrict) "manage_form_title Security Patch flawed"
** Security Related ** (Public)
Status Pending, Zope/bug+solution medium
To followup, visit:
http://zope.org/Collectors/Zope/1247
==============================================================
= Unrestrict_pending - Entry #2 by tseaver on May 19, 2004 12:54 pm
This issue doesn't represent a security vulnerability, and so it doesn't need to be restricted.
________________________________________
= Request - Entry #1 by alan_milligan on Mar 4, 2004 7:53 am
Uploaded: "manage_form_title.patch"
- http://zope.org/Collectors/Zope/1247/manage_form_title.patch/view
As discussed on the dev list (and with Jim at Melbourne Sprint), the XSS patch to manage_form_title (and others of this quasi-private method style) breaks my products (ie Zpydoc/BastionLedger - and a myriad of private products) which include the product icon on the add form because the implemented solution misses the point that these methods should not be implemented in DTML as it always has a docstring and can thus be called directly rather than as intended via other DTML.
The solution is to make the DTML private (it's only DTML in the first place because that's convenient ...) and to provide an accessor with no docstring.
Please implement this patch and revert manage_form_title. You should also consider this technique for a number of other methods of this ilk.
==============================================================
More information about the Zope-Collector-Monitor
mailing list