[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

Tres Seaver tseaver@zope.com
09 Aug 2002 11:33:09 -0400


On Fri, 2002-08-09 at 10:43, Toby Dickenson wrote:
> On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> > On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > > The risk for breakage is very small really
> > >
> > > Your choice of '<' and html_quote suggests that my dtml code which
> > > generates javascript and vbscript carries a higher risk than dtml which
> > > generates html.
> >
> > Only if you generated that script using data from the REQUEST, implicitly.
> 
> Yes
> 
> > Which was bad in the first place.
> 
> I agree it is true in most cases, but not all. Have you analysed how many 
> applications will be broken by this? how they can detect the breakage? I 
> certainly will not have time to assess the implications on my applications 
> before the scheduled release of 2.6.
> 
> > > >, and breakage
> > > > will generally only occur when someone is trying to exploit the
> > > > weakness, not in normal operation of the site.
> > >
> > > The fact that your change uses html_quote to 'fix' the problem rather
> > > than sounding 'hacker alert' alarm bells suggests to me that you dont
> > > really believe that ;-)
> >
> > Again, the wide scope of DTML use would make such bells warble prematurely
> > all too often.
> 
> 'all too often' also contradicts your statements that this will not happen in 
> normal operation of the site, and that the risk of breakage is 'very small'.
> 
> 
> Like I said before, this is probably a good feature. If it was available as a 
> patch then I would probably use it on a number of my sites, and would 
> recommend it to others. I would be very happy see it (or something like it) 
> in 2.7.
> 
> But not 2.6.

Martijn did add a knob to turn the feature off, via a new environment
variable.  With a security vulnerability, we have to come up with some
kind of balance between the need to propagate the fix as quickly as
possible and the need (as you point out) not to disrupt production sites
unduly.  I don't believe we can afford to wait a whole other release
cycle for this fix;   Brian, Jim, and Martijn deemed the fix too
pervasive to be bundled as a hotfix, which offers us little choice
except to included it in current releases.

Whithout the fix, virtually every Zope site in the world is vulnerable
to URL-based cross-site scripting exploits.  For instance, any URL which
contains invalid form variable marshalling can generate an error page
which includes the erroneous value, unquoted.  E.g.:

<URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E>


Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com