[Zope-dev] Zope security alert and 2.2 information

Kent Polk kent@goathill.org
Mon, 15 May 2000 23:54:09 -0500 (CDT)


R. David Murray wrote:
> On 12 May 2000, Kent Polk wrote:
> > Some browsers *do* only pass authentication info when the server
> > requests it.  We discovered this a couple of years ago when
> > experimenting with the newly-developed domain authentication that
> > I asked to be implemented in userfolders with Principia.
> 
> Unless I'm badly mistaken, the standard Zope management interface
> has a problem with this.
> 
> My perception is that w3m is a browser that only passes auth
> info when requested.  If I'm looking at a management screen,
> and I click on a link that takes me to 'manage_workspace' for
> that object, Zope responds as if I am not authenticated.  If I
> explicitly type in the URL with 'manage_main', then I get the
> management screen.  I'm *guessing* that manage_workspace somehow
> does not require 'view management screens' permission but
> 'manage_main' does.
> 
> What are other browsers that have this behavior?  I'd like to test
> my theory...

It was a while back and I don't have access to any of the browsers
to test with now, but none of them had any trouble with the standard
Principia (before Zope) management screens. The problems were
encountered if you simply assumed that objects were requiring
authentication, such as by passing them through an authentication
portal which was only used to establish authentication and never
used thereafter, and simply used AUTHENTICATED_USER to determine
the status of authentication instead of just the name of the
authenticated user.

The results were that browsers which didn't automatically send
authentication info were disallowed access, and you could reasonably
easily bypass the server authentication mechanism if objects
themselves didn't authenticate. Sorry that I don't have up-to-date
info here, but I haven't had to develop any sites which require
authentication since then. 

Sounds like you are possibly stating that when Zope was extended,
it didn't continue to require that its management objects required
authentication and simply relied on the value of AUTHENTICATED_USER
to determine authentication. Is this correct?

At the time I simply saw the problem as one of 3rd party software
design. I.e.  if you didn't build the site so its objects required
authentication as appropriate, it wasn't Principia's problem, it
was yours (or mine). I also believe the second issue isn't a problem
with browsers which only send auth. info when requested. Relying
on access procedures to ensure security is 'security by obscurity'
and nothing more.