[Zope] How to get around non-propogating proxy roles, also security problem with zsql traversal?
Dieter Maurer
dieter@handshake.de
Fri, 17 Nov 2000 22:31:51 +0100 (CET)
Brad Clements writes:
> 1. Why is it that proxy roles don't propogate and accumulate when
> methods are called?
I do not know exactly but suppose it is to reduce the danger
of trojan horses.
It was changed with the new Zope 2.2 security policy.
> 2. I'm actually using simple ZSQL traversal, like this:
>
> mysite.com/MyFolder/MyZSQL/138348343/PublicInfo
>
> PublicInfo is the DTML Doc with proxy role = PUBLIC.
>
> MyZSQL is an SQL Method that doesn't appear to be viewable by
> anonymous. However when called using simple traversal shown above,
> the SQL method IS executed.
>
> Is this a security bug? It seems that anonyous users can "call" an sql
> method using traversal even if security disallows anonymous View.
It is not the view permission that is relevant for Z SQL method
use, but "Use database methods".
Nevertheless, I can imagine that it will nevertheless be possible
to use the method, even if the permission is not granted.
This is due to the way, the permission checking is implemented.
The ZPublisher first locates the object to be accessed
by URL traversal without any security checks (as it does not yet have any
user information).
After the object is located, it determines its protection
and then walks back along the objects visited to find the object
in order to find a user folder able to authenticate a user
with sufficient privileges.
Security restriction of these intermediate objects are only
relevant if they were inherited by the final object.
Thus, indeed, you may have found a security whole.
Put it into the collector.
Dieter