[Zope-dev] Server Side Trojan Issue really dead?
KevinL
darius@bofh.net.au
Mon, 07 Aug 2000 20:00:29 +1000
> Chris Withers wrote:
> > Paul comes along to read the new ZWiki page, and IIUC, inadvertently
> > executes DEE and deletes everything, everywhere, because he is a
> > manager, and Jim (still the owner) is a manager and so DEE executes.
> >
> > Have I missed something?
>
> When I write a product that allows users to edit executable content, I
> have an extra responsibility to collaborate with the new security model.
>
> I reckon that it is up to the ZWiki product to change ownership
> appropriately if the page is edited. The zope security system can't
> possibly know about what constitutes editing executable content and what
> does not. Only a product author can know that.
Do a search for "Confused Deputy", and you'll find lots on this sort of
problem. In particular around http://www.eros-os.org/ and
http://www.erights.org/ - both capability-based systems. The crunch of this
is that you either need a fully-fledged capabilities system, which would have
to be insanely granular in this example (caps assigned to each edit of each
page), or you want to execute the zwiki page content at the lowest possible
access priviledge (the problem seems to be that "execute" is more akin to
"render" in the zope world).
Changing ownership of the zwiki pages seems a dangerous thing to do in itself
- and how do you know not to change it back? You never ever want to run/
render it as a higher user than the lowest priviledge editor...
Can I suggest that zwiki pages with DTML content are inherently evil? ;)
KevinL
(Disclaimer: I haven't looked closely at the zope security model yet :(