[Zope] Weird Security Problem

Chris Withers chrisw@nipltd.com
Mon, 27 Mar 2000 14:19:21 +0100


This is a multi-part message in MIME format.
--------------FCD295B885E34523D35D59D2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

This I cannot understand, what's new ;-)
I've mocked it up in the attached .zexp if anyone wants to try it out themselves.

I have a site with a subfolder. This is private and so has 'view' permission only to a 'user' role
and the usual 'manager' role.

I have a file, index_html in the mockup, in this subfolder, which includes an image called 'black'
from the root of the site. The root folder has 'view' granted to the anonymous user.

I added my users with the 'user' role, user1 in the mockup - password 'user1', to the subfolder's
acl_users . However, when I went to view the subfolder and logged in as user1, the page loaded fine,
except for the 'black' image. I was asked to authenticate again but the only way I could get past
this was to use user2, password 'user2', who has manage access to the whole site. 

This is really confusing as 'black' comes from the root of the site, which is viewable by even the
anonymous user, and viewing the black image on its own in another browser session, even using the
URL from the HTML generated for the subfolder index_html, worked fine and no authentication was
requested.

Obviously giving these users manager access to the whole site was unacceptable. I managed to solve
the problem, see user3 - password 'user3' in the mockup, by creating the user in the root acl_users
folder and giving them no roles. Then, giving them 'user' as a local role in subfolder.

I've tried this with Zope 2.1.4 and 2.1.6 on Linux and NT4, Netscape 3.04, Netscape 4.7 and Explorer
5.1 all with the same result.

Anyone know what's going on?

Chris
--------------FCD295B885E34523D35D59D2
Content-Type: text/html; charset=iso-8859-1;
 name="Test.zexp"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="Test.zexp"

WkVYUAAAAAAAAABZAAAAAAAAAfEoKFUKT0ZTLkZvbGRlcnEBVQZGb2xkZXJxAnRxA050Ln1x
BChVEF9fYWxsb3dfZ3JvdXBzX19xBShVCAAAAAAAAABacQYoVRJBY2Nlc3NDb250cm9sLlVz
ZXJxB1UKVXNlckZvbGRlcnEIdHRRVQJpZHEJVQRUZXN0cQpVEl9fYWNfbG9jYWxfcm9sZXNf
X3ELfXEMVQVjaHJpc3ENXXEOVQVPd25lcnEPYXNVCmluZGV4X2h0bWxxEChVCAAAAAAAAABb
cREoVRBPRlMuRFRNTERvY3VtZW50cRJVDERUTUxEb2N1bWVudHETdHRRVQhfb2JqZWN0c3EU
KH1xFShVCW1ldGFfdHlwZXEWVQtVc2VyIEZvbGRlcnEXaAlVCWFjbF91c2Vyc3EYdX1xGSho
FlUNRFRNTCBEb2N1bWVudHEaaAloEHV9cRsoaBZVBkZvbGRlcnEcaAlVCXN1YmZvbGRlcnEd
dX1xHihoFlUFSW1hZ2VxH2gJVQVibGFja3EgdXRVBXRpdGxlcSFVAGgYKGgGKGgHVQpVc2Vy
Rm9sZGVycSJ0dFFoHShVCAAAAAAAAABdcSMoaAFVBkZvbGRlcnEkdHRRaCAoVQgAAAAAAAAA
YXElKFUJT0ZTLkltYWdlcSZVBUltYWdlcSd0dFF1LgAAAAAAAABaAAAAAAAAAG4oKFUSQWNj
ZXNzQ29udHJvbC5Vc2VycQFVClVzZXJGb2xkZXJxAnRxA050Ln1xBFUEZGF0YXEFKFUIAAAA
AAAAAFxxBihVC1BlcnNpc3RlbmNlcQdVEVBlcnNpc3RlbnRNYXBwaW5ncQh0dFFzLgAAAAAA
AABbAAAAAAAAARkoKFUQT0ZTLkRUTUxEb2N1bWVudHEBVQxEVE1MRG9jdW1lbnRxAnRxA050
Ln1xBChVBXRpdGxlcQVVAFUDcmF3cQZVnTxkdG1sLXZhciBzdGFuZGFyZF9odG1sX2hlYWRl
cj4KPGgyPjxkdG1sLXZhciB0aXRsZV9vcl9pZD48L2gyPgo8ZHRtbC12YXIgYmxhY2s+Cjxw
PgpUaGlzIGlzIHRoZSA8ZHRtbC12YXIgaWQ+IERvY3VtZW50Lgo8L3A+CjxkdG1sLXZhciBz
dGFuZGFyZF9odG1sX2Zvb3Rlcj5xB1UHZ2xvYmFsc3EIfXEJVQhfX25hbWVfX3EKVQppbmRl
eF9odG1scQtVBV92YXJzcQx9cQ11LgAAAAAAAABdAAAAAAAABzcoKFUKT0ZTLkZvbGRlcnEB
VQZGb2xkZXJxAnRxA050Ln1xBChVI19NYW5hZ2VfWkNhdGFsb2dfRW50cmllc19QZXJtaXNz
aW9ucQVdcQZVB01hbmFnZXJxB2FVEl9fYWNfbG9jYWxfcm9sZXNfX3EIfXEJKFUFdXNlcjNx
Cl1xC1UEdXNlcnEMYVUFY2hyaXNxDV1xDlUFT3duZXJxD2F1VSBfVXNlX0RhdGFiYXNlX01l
dGhvZHNfUGVybWlzc2lvbnEQXXERaAdhVRtfQ2hhbmdlX1ZlcnNpb25zX1Blcm1pc3Npb25x
El1xE2gHYVUIX29iamVjdHNxFCh9cRUoVQltZXRhX3R5cGVxFlULVXNlciBGb2xkZXJxF1UC
aWRxGFUJYWNsX3VzZXJzcRl1fXEaKGgWVQ1EVE1MIERvY3VtZW50cRtoGFUKaW5kZXhfaHRt
bHEcdXRVHF9BZGRfVXNlcl9Gb2xkZXJzX1Blcm1pc3Npb25xHV1xHmgHYVUjX0NoYW5nZV9F
eHRlcm5hbF9NZXRob2RzX1Blcm1pc3Npb25xH11xIGgHYWgZKFUIAAAAAAAAAF5xIShVEkFj
Y2Vzc0NvbnRyb2wuVXNlcnEiVQpVc2VyRm9sZGVycSN0dFFVGl9EZWxldGVfb2JqZWN0c19Q
ZXJtaXNzaW9ucSRdcSVoB2FVHl9DaGFuZ2VfcGVybWlzc2lvbnNfUGVybWlzc2lvbnEmXXEn
aAdhVRhfVW5kb19jaGFuZ2VzX1Blcm1pc3Npb25xKF1xKWgHYVUQX19hbGxvd19ncm91cHNf
X3EqKGghKGgiVQpVc2VyRm9sZGVycSt0dFFVIF9BZGRfTWFpbEhvc3Rfb2JqZWN0c19QZXJt
aXNzaW9ucSxdcS1oB2FVH19DaGFuZ2VfRFRNTF9NZXRob2RzX1Blcm1pc3Npb25xLl1xL2gH
YWgcKFUIAAAAAAAAAF9xMChVEE9GUy5EVE1MRG9jdW1lbnRxMVUMRFRNTERvY3VtZW50cTJ0
dFFVBXRpdGxlcTNVAFUgX0FkZF9EYXRhYmFzZV9NZXRob2RzX1Blcm1pc3Npb25xNF1xNWgH
YVUMX19hY19yb2xlc19fcTYoaAdoD1UJQW5vbnltb3VzcTdVBHVzZXJxOHRVI19DaGFuZ2Vf
SW1hZ2VzX2FuZF9GaWxlc19QZXJtaXNzaW9ucTldcTpoB2FVH19Kb2luX2xlYXZlX1ZlcnNp
b25zX1Blcm1pc3Npb25xO11xPGgHYVUhX1VzZV9tYWlsaG9zdF9zZXJ2aWNlc19QZXJtaXNz
aW9ucT1dcT5oB2FoGFUJc3ViZm9sZGVycT9VF19BZGRfRm9sZGVyc19QZXJtaXNzaW9ucUBd
cUFoB2FVJ19BY2Nlc3NfY29udGVudHNfaW5mb3JtYXRpb25fUGVybWlzc2lvbnFCXXFDaAdh
VSNfVmlld19tYW5hZ2VtZW50X3NjcmVlbnNfUGVybWlzc2lvbnFEXXFFaAdhVRtfU2VhcmNo
X1pDYXRhbG9nX1Blcm1pc3Npb25xRl1xR2gHYVUQX1ZpZXdfUGVybWlzc2lvbnFIKGgHaDh0
VSNfQ2hhbmdlX0RhdGFiYXNlX01ldGhvZHNfUGVybWlzc2lvbnFJXXFKaAdhVSFfSW1wb3J0
X0V4cG9ydF9vYmplY3RzX1Blcm1pc3Npb25xS11xTGgHYVUZX0FkZF9aQ2F0YWxvZ3NfUGVy
bWlzc2lvbnFNXXFOaAdhVSBfQ2hhbmdlX2NvbmZpZ3VyYXRpb25fUGVybWlzc2lvbnFPXXFQ
aAdhVSxfQWRkX0RvY3VtZW50c19fSW1hZ2VzX19hbmRfRmlsZXNfUGVybWlzc2lvbnFRXXFS
aAdhVRZfRlRQX2FjY2Vzc19QZXJtaXNzaW9ucVNdcVRoB2FVIV9DaGFuZ2VfRFRNTF9Eb2N1
bWVudHNfUGVybWlzc2lvbnFVXXFWaAdhVR1fTWFuYWdlX3Byb3BlcnRpZXNfUGVybWlzc2lv
bnFXXXFYaAdhVRhfTWFuYWdlX3VzZXJzX1Blcm1pc3Npb25xWV1xWmgHYVUoX1NhdmVfZGlz
Y2FyZF9WZXJzaW9uX2NoYW5nZXNfUGVybWlzc2lvbnFbXXFcaAdhVR5fQ2hhbmdlX3Byb3h5
X3JvbGVzX1Blcm1pc3Npb25xXV1xXmgHYVUYX0FkZF9WZXJzaW9uc19QZXJtaXNzaW9ucV9d
cWBoB2FVK19PcGVuX0Nsb3NlX0RhdGFiYXNlX0Nvbm5lY3Rpb25zX1Blcm1pc3Npb25xYV1x
YmgHYVUgX0FkZF9FeHRlcm5hbF9NZXRob2RzX1Blcm1pc3Npb25xY11xZGgHYVUtX0FkZF9a
X0dhZGZseV9EYXRhYmFzZV9Db25uZWN0aW9uc19QZXJtaXNzaW9ucWVdcWZoB2F1LgAAAAAA
AABhAAAAAAAAAP0oKFUJT0ZTLkltYWdlcQFVBUltYWdlcQJ0cQNOdC59cQQoVQRzaXplcQVL
K1UGaGVpZ2h0cQZVATFVBGRhdGFxB1UrR0lGODlhAQABAIAAAAAAAP///yH5BAAAAAAALAAA
AAABAAEAAAICRAEAO3EIVQhfX25hbWVfX3EJVQVibGFja3EKVQV0aXRsZXELVQBVDGNvbnRl
bnRfdHlwZXEMVQlpbWFnZS9naWZxDVUMcHJlY29uZGl0aW9ucQ5VAFUFd2lkdGhxD1UBMVUS
X19hY19sb2NhbF9yb2xlc19fcRB9cRFVBWNocmlzcRJdcRNVBU93bmVycRRhc3UuAAAAAAAA
AFwAAAAAAAAAoCgoVQtQZXJzaXN0ZW5jZXEBVRFQZXJzaXN0ZW50TWFwcGluZ3ECdHEDTnQu
fXEEVQpfY29udGFpbmVycQV9cQYoVQV1c2VyM3EHKFUIAAAAAAAAAGRxCChVEkFjY2Vzc0Nv
bnRyb2wuVXNlcnEJVQRVc2VycQp0dFFVBXVzZXIycQsoVQgAAAAAAAAAY3EMKGgJVQRVc2Vy
cQ10dFF1cy4AAAAAAAAAXgAAAAAAAABuKChVEkFjY2Vzc0NvbnRyb2wuVXNlcnEBVQpVc2Vy
Rm9sZGVycQJ0cQNOdC59cQRVBGRhdGFxBShVCAAAAAAAAABgcQYoVQtQZXJzaXN0ZW5jZXEH
VRFQZXJzaXN0ZW50TWFwcGluZ3EIdHRRcy4AAAAAAAAAXwAAAAAAAAEZKChVEE9GUy5EVE1M
RG9jdW1lbnRxAVUMRFRNTERvY3VtZW50cQJ0cQNOdC59cQQoVQV0aXRsZXEFVQBVA3Jhd3EG
VZ08ZHRtbC12YXIgc3RhbmRhcmRfaHRtbF9oZWFkZXI+CjxoMj48ZHRtbC12YXIgdGl0bGVf
b3JfaWQ+PC9oMj4KPGR0bWwtdmFyIGJsYWNrPgo8cD4KVGhpcyBpcyB0aGUgPGR0bWwtdmFy
IGlkPiBEb2N1bWVudC4KPC9wPgo8ZHRtbC12YXIgc3RhbmRhcmRfaHRtbF9mb290ZXI+cQdV
B2dsb2JhbHNxCH1xCVUIX19uYW1lX19xClUKaW5kZXhfaHRtbHELVQVfdmFyc3EMfXENdS4A
AAAAAAAAZAAAAAAAAABmKChVEkFjY2Vzc0NvbnRyb2wuVXNlcnEBVQRVc2VycQJ0cQNOdC59
cQQoVQVyb2xlc3EFXXEGVQRuYW1lcQdVBXVzZXIzcQhVB2RvbWFpbnNxCV1xClUCX19xC1UF
dXNlcjNxDHUuAAAAAAAAAGMAAAAAAAAAcigoVRJBY2Nlc3NDb250cm9sLlVzZXJxAVUEVXNl
cnECdHEDTnQufXEEKFUFcm9sZXNxBV1xBlUHTWFuYWdlcnEHYVUEbmFtZXEIVQV1c2VyMnEJ
VQdkb21haW5zcQpdcQtVAl9fcQxVBXVzZXIycQ11LgAAAAAAAABgAAAAAAAAAHsoKFULUGVy
c2lzdGVuY2VxAVURUGVyc2lzdGVudE1hcHBpbmdxAnRxA050Ln1xBFUKX2NvbnRhaW5lcnEF
fXEGVQV1c2VyMXEHKFUIAAAAAAAAAGJxCChVEkFjY2Vzc0NvbnRyb2wuVXNlcnEJVQRVc2Vy
cQp0dFFzcy4AAAAAAAAAYgAAAAAAAABvKChVEkFjY2Vzc0NvbnRyb2wuVXNlcnEBVQRVc2Vy
cQJ0cQNOdC59cQQoVQVyb2xlc3EFXXEGVQR1c2VycQdhVQRuYW1lcQhVBXVzZXIxcQlVB2Rv
bWFpbnNxCl1xC1UCX19xDFUFdXNlcjFxDXUu/////////////////////w==
--------------FCD295B885E34523D35D59D2--