[Zope-dev] Context Acquisition - Security Hole?

Steve Alexander steve@cat-box.net
Thu, 14 Sep 2000 19:16:52 +0100


Chris Withers wrote:

> Shane Hathaway wrote:
> > > How should I got about petitioning
> > > for
> > > <dtml-var anobject aq_context> to become valid syntax?
> > 
> > There's one little (okay, big) problem with this idea: aq_context
> > strips the security context.  In fact, it could be used to confuse the
> > security machinery.
> > 
> > Let's say I'm Joe Hacker and I have set up membership at
> > www.zope.org/Members/jhacker.  I create a DTML method called index_html
> > with this:
> > 
> > <dtml-with Members>
> > <dtml-with hathawsh aq_context>
> >   <dtml-call expr="index_html.manage_edit('1 0WN U')">
> > </dtml-with>
> > </dtml-with>
> 
> Alright, I give up :-(
> This would be really useful, but if it's going to open up security holes
> everywhere, then I best leave it alone :-S

You could still have an aq_context attribute that would stay secure. It 
would just be very inefficient. The security checks still follow 
standard acquisition, but the object that is returned from an 
acquisition search is chosen context first.

Without further optimisation, this means a containment security check 
for each element of the context. Which kind of suggests worse than 
linear performance as the context path grows.

--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net