[Zope] Zope Hotfix: ObjectManager subscripting
ethan mindlace fremen
mindlace@digicool.com
Wed, 11 Oct 2000 15:03:57 -0400
This hotfix addresses an important security issue that affects Zope
versions up to and including Zope 2.2.2.
The issue involves the fact that the 'subscript notation' that can be
used to access items of ObjectManagers (Folders) did not correctly
restrict return values to only actual sub items. This made it possible
to access names that should be private from DTML (objects with names
beginning with the underscore '_' character). This could allow DTML
authors to see private implementation data structures and in certain
cases possibly call methods that they shouldn't have access to from
DTML.
While we know of no instances of this issue being used to exploit a
site, we recommend that any Zope 2.2.x site that allows DTML to be
edited by untrusted users apply this Hotfix.
http://www.zope.org/Products/Zope/Hotfix_2000-10-11/Hotfix_2000-10-11.tgz
The hotfix will work for all versions of Zope 2.2.0 and higher. A future
version of Zope will contain the fix for this issue, and you will be
able to uninstall the hot fix after upgrading.