[Zope-dev] 2.7.0-b2 - Critical ZPT TAL bug when using content-type text/xml

Richard Waid richard at iopen.net
Sat Sep 20 00:53:42 EDT 2003 

Yesterday I discovered a bug in ZPT for which I'm having trouble 
tracking down the source. This bug does not appear to occur in 2.6, but 
does appear to occur in both 2.7.0-b2 and 2.7.0-b1.

Basically, if you're using a ZPT with a content-type text/xml, using a 
TAL path expression to access an attribute or method causes a security 
violation (Unauthorized). It does not happen if the ZPT is using 
content-type text/html.

This is a critical bug for us, it will affect dozens if not hundreds of 
  XML producing ZPT's if we were to upgrade to 2.7 from 2.6.

I notice that someone previously reported something like this on the 
Zope list but I couldn't find a resolution (the message was a couple of 
months back), and there is a bug in the collector:

   http://collector.zope.org/Zope/1034/

To which I have added a comment, a test case and a traceback. The bug 
was talking about METAL macros, but it is almost certainly related.

Two things are known to workaround this bug:

1) ZOPE_SECURITY_POLICY=PYTHON would probably work, since I forced an 
import error in AccessControl/ZopeGuards.py to force the use of the 
python version of guarded_getattr, and that fixed the problem. Which 
might suggest the problem is in cAccessControl ... though I dropped in 
the 2.6 version of that, and it didn't seem to fix the problem (maybe 
something in cAccessControl is only trigged under this scenerio),

2) Using getattr rather than guarded_getattr in 
PageTemplates/Expressions.py, line 348. Not the best solution :)

The test case, for those too lazy to look in the collector (:)):

---

  1. Create a page template

  2. Use the text:

    <test xmlns:tal="http://xml.zope.org/namespaces/tal"
                tal:replace="here/id"/>

  3. Set to content-type text/html -- it should work when you test it.

  4. Set to content-type text/xml -- you will get a security
  violation when you test it (Unauthorized: You are not allowed to 
access 'id' in this context).

-----

Any help tracking down this problem would be very greatly appreciated.


Many thanks,

Richard Waid
Network/Software Engineer
http://iopen.net

More information about the Zope-Dev mailing list