[Zope-dev] Re: 2.7 management_page_charset cannot be callable

Alan Milligan alan at balclutha.org
Thu Jan 15 19:07:14 EST 2004 

Tres Seaver wrote:

> Alan Milligan wrote:
>
>> In addition to this problem, someone has changed 
>> manage_form_title.dtml and caused me grief!
>>
>> The <dtml-var title> tag has been changed to <&dtml-title;>
>>
>> This causes an implicit html-quote to now be performed which means 
>> that my <img> tag, inserted to display the product's icon to more 
>> strongly associate what is being created, now just writes the html 
>> into the title line.
>>
>> Since nothing was broken in the first place, how about backing out 
>> this change.
>
>
> That change is one of a number which are designed to prevent 
> cross-site scripting attacks;  DTML is particularly vulnerable to such 
> cracks, as it doesn't force the template writer to choose the source 
> from which the name will be bound.
>
> Your scenario is actually quite close to the posited attack:  imagine 
> that user 'black_hat' inserts a document whose title has nasty 
> javascript in an 'onload' attribute of a tag;  such javascript can be 
> used, for instance, to steal cookies, to post to 'manage_shutdown', etc.
>
> Tres. 

Wooahh

Who are we trying to protect ourselves from??  Any Zope product is 
automatically supposed to be 'trusted' by virtue of being written to the 
Products directory.  Surely protecting ourselves from malicous product 
developers is not within the bounds of the existing product framework.  
Given I've written the dtml in the first place, I could write my cookie 
stealer *anywhere* in my dtml.

Whenever we install software on a networked device, we have to assess 
the security risks against the perceived benefit of the software's 
functionality.  Installation of a Zope product is not without risk, 
especially if the author is not known.  As you are suggesting, 
installing a Zope product could not only attack our system, but that of 
any hosted website user, so there are many stakeholders interested in 
security assurance.

This is the lamest excuse I could imagine for justifying this change.

Cheers, Alan

More information about the Zope-Dev mailing list