[Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products

Ivo van der Wijk ivo@amaze.nl
Fri, 8 Mar 2002 13:26:46 +0100 

Hi,

I'm sorry to repost my question here, but noone seems to be able to give
me any information on the standard Zope mailinlist.

I still do, however, find the problem described below annoying, and it could
be even considered a security bug (somewhat), or at least a Help page DOS :)

-- 

Hi all,

We run Freezope.org, a site where people can get their own folder with
Manager/Owner access. Of course, users should not be able to mess up
things outside their own folder. However, they can.

The problem seems to be with the helpfiles included with the installed
products. For some reason, these are sometimes/always changed (as in:
writable, modified) when accessed. 

This often gives us (harmless?) log entries such as:

2002-03-06T03:48:56 INFO(0) Z2 CONFLICT Competing writes at, /HelpSys/menu
Traceback (innermost last):
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 171, in publish
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/mapply.py, line 160, in mapply
    (Object: menu)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 112, in call_object
    (Object: menu)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Shared/DC/Scripts/Bindings.py, line 324, in __call__
    (Object: menu)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Shared/DC/Scripts/Bindings.py, line 354, in _bindAndExec
    (Object: menu)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/App/special_dtml.py, line 244, in _exec
    (Object: menu)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 159, in render
    (Object: a tree tag)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 269, in tpRender
    (Object: HelpSys)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 523, in tpRenderTABLE
    (Object: HelpSys)
    (Info: (['Tm9uZQ==', []], {'childless_decoration': '', 'id': 'tpId', 'branches': 'tpValues', 'url': 'tpURL'}, (['Tm9uZQ==', []],), (['Tm9uZQ==', []],)))
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 323, in tpRenderTABLE
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/HelpSys/HelpSys.py, line 228, in tpValues
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/HelpSys/HelpSys.py, line 331, in tpValues
    (Object: Help)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/Connection.py, line 535, in setstate
ConflictError: ("'\\x00\\x00\\x00\\x00\\x00\\x0f{\\xee'", '<extension class HelpSys.HelpTopic.STXTopic at 85934e8>')

--- end of trace ---

However, if one of the freezope users creates a version, starts working
in this version, and then consults any of the help pages for the installed
products, this page will be write-locked, and unaccessible for all other
users.

When accessing the helppages, the following error appears:

Zope Error

Zope has encountered an error while publishing this resource.

Error Type: VersionLockError
Error Value: ("'\\x00\\x00\\x00\\x00\\x00\\x10&r'", '/ZopeHosting/freezope/ivotest.freezope.org/myversion')

Troubleshooting Suggestions

    * The URL may be incorrect.
    * The parameters passed to this resource may be incorrect.
    * A resource that this resource relies on may be encountering an error.

For more detailed information about the error, please refer to the HTML source for this page.

If the error persists please contact the site maintainer. Thank you for your patience.

Traceback (innermost last):
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 223, in publish_module
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 187, in publish
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Zope/__init__.py, line 226, in zpublisher_exception_hook
    (Object: Config.stx)
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 175, in publish
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Zope/__init__.py, line 240, in commit
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/Transaction.py, line 302, in commit
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/Connection.py, line 420, in commit
    (Info: (('HelpSys.HelpTopic', 'STXTopic'), '\x00\x00\x00\x00\x00\x10&r', ''))
  File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/FileStorage.py, line 658, in store
    (Object: /usr/local/zope/zopesites/freezope/var/Data.fs)
VersionLockError: (see above)

--- end of trace ---

Could this be considered a bug? Why is this happening at all?

With regards,

	Ivo

-- 
Drs. I.R. van der Wijk                              -=-
Brouwersgracht 132                      Amaze Internet Services V.O.F.
1013 HA Amsterdam, NL                               -=-
Tel: +31-20-4688336                       Linux/Web/Zope/SQL/MMBase
Fax: +31-20-4688337                           Network Solutions
Web:     http://www.amaze.nl/                    Consultancy
Email:   ivo@amaze.nl                               -=-