[Zope-dev] Re: vulnerability in zope 2.10.4
Andreas Zeidler
az at zitc.de
Wed Jul 11 21:37:03 EDT 2007
On Jul 12, 2007, at 2:50 AM, Tres Seaver wrote:
>> so, unless i'm completely wrong here, i'd say this is a pretty
>> serious security whole, no?
>
> No. It has been an accident that, until just recently, the
> filesystem-based templates in a Five view were running as "untrusted"
> code.
yep, martin's already told me the same on irc, along with the history
of your fix. but thanks for the quick answer...
> So, for
> instance, it is possible for the author of the view class to write
> methods which exposed "private" attributes to the view's template, for
> instance (and has beenn since before Five was added to Zope).
i know that, of course, but was assuming that rendering five views as
untrusted code was intentional, especially since templates registered
for "*" could potentially be pretty harmful. plus i wasn't expecting
an imho significant change like that to happen in a bugfix release.
but anyway, thanks for clarifying! :)
andi
--
zeidler it consulting - http://zitc.de/ - info at zitc.de
friedelstraße 31 - 12047 berlin - telefon +49 30 25563779
pgp key at http://zitc.de/pgp - http://wwwkeys.de.pgp.net/
sprint with us! - http://plone.org/events/sprints/potsdam-sprint-2007
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20070712/d3ca1f78/PGP.bin
More information about the Zope-Dev
mailing list