[Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

[Shane Hathaway]

Dieter Maurer wrote:
> Adrian Hungate writes:
>  > ....
>  > > We should avoid sending the wrong
>  > > message by making a hotfix for every little thing.
>  > >
>  > > Shane
> 
>  > I'd like to second this. It was one of the contibuting factors in the
>  > decision of my former employers to opt for spectra instead of a Zope
>  > solution (That already existed!!).
> I, in contrary, appreciate the openess and fast response with
> respect to security problems.
> 
> I do not install most hotfixes because the vulnerabilities do not
> affect our sites but it is a good feeling that there are fast
> fixes when this would be once the case.

In some way we need to make it clear that most hotfixes don't matter for 
most sites.  A lot of hotfixes ensured that users who could write DTML 
couldn't get extra privileges.  They really only mattered for sites like 
zope.org, where anyone with an email address is allowed to write code 
that will be executed directly on the server.  But:

1) most Zope sites give a high level of trust to DTML authors anyway. 
There was no way to exploit most of the security holes without the 
ability to write DTML that runs on the server.

2) even a Zope administrator is still quite limited.  In a standard 
setup, a Zope admin can't read/write arbitrary files or execute scripts.

3) Zope doesn't run as root.  Even if someone found a way to get console 
access through a Zope admin account, they would have to exploit some 
other security hole to get root access.

We need to make it clear that there are several layers of security, and 
only a single layer has ever had a problem AFAIK.

Shane