[Zope-dev] vulnerability in zope 2.10.4

Andreas Zeidler az at zitc.de
Wed Jul 11 18:48:38 EDT 2007 

hi,

imho i've found a vulnerability in zope 2.10.4 or rather in the newer  
version of five (1.5.5) used by it.  in `Five/browser/ 
pagetemplatefile.py` in line 27 `createTrustedZopeEngine` is used the  
instantiate the page template engine used by five templates, or at  
least this is what i think it does.  the problem with this is that  
`trustedBoboAwareZopeTraverse` (in `PageTemplates/Expressions.py`)  
gets used to traverse path-expressions using `unrestrictedTraverse`  
(line 100), which means that i can access say the title of an  
otherwise private object with a simple
"obj/Title".

i ran into this when one of my doctests[1] failed after upgrading  
from zope 2.10.3 to 2.10.4, because it could now access the title,  
even though permissions are explicitly set up beforehand to prevent  
this.  using `createZopeEngine` instead of `createTrustedZopeEngine`  
didn't help with the test, unfortunately, since this would then raise  
an `Unauthorized` right away when rendering the `folder_contents`  
view.  however, if i defer resetting the roles of the test user to  
just before the "click" on 'Delete' (line 35 in the test), the test  
works again...

i've also just verified this ttw by creating a simple five view and a  
"file" object.  i can successfully access the "title" attribute using  
the view, even though "view" and "access contents information"  
permissions are set up so only the "manager" role can access the  
object.  dropping in zope 2.10.3 things work as expected, that is an  
`Unauthorized` exception is raised.

so, unless i'm completely wrong here, i'd say this is a pretty  
serious security whole, no?

cheers,


andi

[1] http://dev.plone.org/plone/browser/plone.app.linkintegrity/trunk/ 
plone/app/linkintegrity/docs/testReferalToPrivateFiles.txt?rev=16003

--
zeidler it consulting - http://zitc.de/ - info at zitc.de
friedelstraße 31 - 12047 berlin - telefon +49 30 25563779
pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/
sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20070712/02505a9a/PGP.bin

More information about the Zope-Dev mailing list