[Zope-dev] RFC: backward compatibility of PythonScript bindings for
2.6.4 / 2.7.0
Brian Lloyd
brian at zope.com
Wed Jan 21 10:42:11 EST 2004
Hi all -
We recently made Zope 2.6.4-rc1 and 2.7.0-rc1 releases which fix
a number of issues that were introduced in the Q4 security audit
work and the resulting 2.6.3 and 2.7.0-b4 releases.
The initial feedback is very good, and at this point I am aware of
only one outstanding issue - but it is a sticky one and I want to
get some community feedback before deciding exactly how to address
it.
Background: one of the holes fixed in the security audit was that
the current user's access to 'context' and 'container' in a Python
Script was not checked when those names were bound to the script
for execution. This meant that theoretically a script could have
a handle to an object (like the script container) that the user
really didn't have permission for. Subsequent attribute accesses
or attempted method calls would likely still fail since a security
check *would* be performed on those actions, but in principle the
script shouldn't have been allowed to get that initial handle to
the object.
The fix for this was straightforward - do a security check on
'context' and 'container' before binding those objects when the
script is getting ready to execute.
While this is definitely the Right Thing To Do (tm) from a
security standpoint, it poses a bit of a backwards compatibility
problem because:
- By default, all Python Scripts bind both 'context' and
'container'. This means that all existing Python Scripts
in applications, portal tools, etc. have those bindings unless
they have been manually changed.
- A standard CMF / Plone idiom is to put scripts inside of portal
tools (workflow is a primary example). Very often the users who
execute the scripts (as a part of workflow, for example) **do not
have access to the tool containing the scripts**.
These two facts did not cause a problem before, because the security
check for the 'container' binding was not being performed at bind-time.
Now that it is, many scripts will not work because the user will not
have access to the tool containing the script. Worse, the binding
check will cause an unauthorized error **even if the script doesn't
actually use the 'container' variable, because all existing Python
Scripts already have that binding defined by default ;(
So as things stand, the way the binding check currently works will
cause problems for most everyone using a workflow tool or other
tools containing scripts where the user doesn't have access to the
script container (the tool itself). This is likely to be a fairly
large number of people / sites.
I'd like to propose a solution that will hopefully affect far fewer
people, while still doing the right thing with regard to security.
Currently, if the executing user does not have access to either
'context' or 'container', an Unauthorized exception will be raised
at bind-time. *This will happen even if the script does not use
either of those names*, which is the root of the problem.
I propose to change that behavior so that if the security check on
either 'context' or 'container' fails, that name will be bound to
None rather than raise an Unauthorized. The effect of that change
on existing sites would be:
- Existing scripts living in tools which *don't* reference
'container' in their code will continue to work as before
without any changes on the part of the site admin
- Existing scripts that *do* refer to 'container' in their
code (and if the user doesn't have access to it) will
break, since 'container' will now be 'None' rather than
what the script thought it would be. The fix for such
sites is to make sure the user has the appropriate access
on the script container.
What I like about this is that it potentially requires direct
action from fewer site admins. IOW, you only have to fix your
permissions if you were already doing something that the security
system should have been preventing before.
What I don't like is that it is somewhat magical, and now the
error you would get (probably 'None has no attribute xxx') if
the user doesn't have access to the container doesn't tell you
the real problem.
That is likely to be compounded by the fact that some site admins
will be saved from having to care immediately by this magic, then
run into it later, when they might be thoroughly confused if they
didn't happen to read this thread as it went by ;)
The alternative is to take the 'hard-line' and say that site
admins need to visit their script containers and ensure that
either a) the users of the scripts have the appropriate
permissions on the container or b) they remove the 'container'
binding from their scripts if it is not appropriate to give
the users access to the script container.
Sorry this was so long, but I think these kinds of backward
compatibility vs. consistency conundrums require some community
buy-in on the path chosen, since *someone* will be unhappy and
have to do some manual fixing no matter what.
Thoughts?
Brian Lloyd brian at zope.com
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com
More information about the Zope-Dev
mailing list