[Zope] Usage of AUTHENTICATED_USER
Michel Pelletier
michel@digicool.com
Wed, 2 Feb 2000 10:40:57 -0500
> -----Original Message-----
> From: Shane Hathaway [mailto:zope@pi.slcc.edu]
> Sent: Tuesday, February 01, 2000 7:49 PM
> To: zope@zope.org
> Subject: [Zope] Usage of AUTHENTICATED_USER
>
>
> Zopistas,
>
> This is unlikely to be a major issue so I'll just say what's
> involved in
> exploiting the hole. The manage_addFolder method, used to
> create a new
> folder, takes the current REQUEST as an argument. All one
> needs to do is
> call manage_addFolder without a REQUEST argument, and the
> extra security
> checks are disabled. Thus anyone who can create folders can
> also create
> default user folders.
Can you report this bug to the collector?
> The issue is that there is no apparent way for a method such as
> manage_addFolder to get the current User object to perform a proper
> security check. Getting it using REQUEST['AUTHENTICATED_USER'] isn't
> reliable. In fact, it is possible to call
> <dtml-call "REQUEST.set('AUTHENTICATED_USER', bogusSuperUser)">
> which works but fortunately doesn't have much effect at present.
> (bogusSuperUser would be a folder with DTML methods has_permission,
> has_role, validate, etc. and would masquerade as a SuperUser object.)
Hmmm... this might be considered a problem, can you submit this to the
collector also?
-Michel