[Zope] Nasty subtle security bug

Martijn Faassen faassen@vet.uu.nl
Mon, 25 Sep 2000 21:01:09 +0200


Hi there,

I'm about to describe a very nasty bug that appears to exist in
different guises in at least Zope 2.1.6 and Zope 2.2.2.

The bug is nasty because it occurs under rather restricted
circumstances, so nobody else noticed it yet, but it keeps biting _me_.

The circumstances:

  * we have external method E in the root

  * we have a user defined in the root. This user has a certain role A.

  * we authenticate that user with a DTML method in root for role A.
    (so role A in this setup exists to force authentication only)

  * we give the user a local role B (or local user account with same
    username/password with that role) in a higher folder, X.

  * the external method E has security permissions to only work
    with role B (and manager), not with anonymous.

As far as I am aware, our user should be able to execute E in the context
of X and any subfolders, as the user has the right role there. Our user
should not be able to execute E in the context of any other folder, however.
(the execution happens through a DTML call)

The symptoms:

In Zope 2.1.6, the user cannot execute the external method E. Instead, the
user is asked to reauthenticate. Naturally, reauthenticating the user again
as himself won't work.

In Zope 2.2.2, the user cannot execute the external method E either. Instead,
the calling DTML code raises a NameError, basically saying our external
method does not exist.

The subtle bits -- when it *does* work fine --:

This is probably why nobody actually ran into this one before.

  * it works fine when the user has manager role (at least in root)

  *  it works fine when the external method is executable by anonymous.

  * it works fine when the external method is defined in another folder
    (not root folder)

  * it works fine with DTML methods

  * it even works fine (tested in 2.1.6) when the role is *not* added as 
    a local role or with a local user account; if the user has role B
    from the start, it works. This one particularly gave me a lot of 
    grief.

The workaround that gets closest to what I want is to define the external
methods in folder higher up instead. But that's not really desirable, in
my circumstances I want the external method callable in the entire site,
if the user is authenticated.

Some minor observations:

  * ZClass instances seem to be affected as well. I'm not as sure about
    the symptoms here though.

Anyway, I tried to upgrade to 2.2.2 to avoid this bug in particular, but
the only thing I got was a NameError instead of an Authentication
error. Sigh..

It doesn't appear to be a security leak, it appears to be overzealeous
security instead. :)

I'll also dump this description into the collector, but posted to the
list because I like to complain. And who knows, perhaps someone else
ran into the same.

Regards,

Martijn