[Zope] Nasty subtle security bug - Me Too

Martijn Faassen faassen@vet.uu.nl
Mon, 25 Sep 2000 21:47:50 +0200 

Brad Clements wrote:
> On 25 Sep 2000, at 21:01, Martijn Faassen wrote:
> 
> > In Zope 2.2.2, the user cannot execute the external method E either.
> > Instead, the calling DTML code raises a NameError, basically saying our
> > external method does not exist.
> 
> > I'll also dump this description into the collector, but posted to the
> > list because I like to complain. And who knows, perhaps someone else
> > ran into the same.
> 
> I also get the same problem in a different way. I posted a note the other 
> day about Login Manager and ownership generating NameError.
> 
> I thought it was a Login Manager thing. The results are about the same, 
> I get a NameError accessing an External method from a DTML method 
> when the current user has been authenticated using a Login manager 
> protectec sub folder of the root.

This was just plain vanilla user folder. I also get it with ZClass
instances, though I get a reauthentication request (impossible one) in that
case. In  2.1.6, I'd get reauthentication requests for both external
methods and ZClass instances.

> My fix, strangely enough, was to change the ownershipp of the DTML 
> method that was making the call to the External Method. It was owned 
> (somehow) by a user from Login Manager, rather than from the root 
> acl_users folder.
> 
> Changing the ownership fixed the problem.

I don't see how to accomplish this in my page. The root folder isn't
owned by anyone, and I can't change it to be owned, I think. The
external methods are all owned by my manager user, can I can't seem
to change that either.

> I didn't know who should look into this, Ty or DC, so I posted to the list. 
> Unfortunately it looks like no one has responded. I don't have the brains 
> to figure it out.

If it is indeed the same problem, it seems to be a Zope core bug.

In fact I misreported that moving the external method to a subfolder
solved all problems -- it still fails (at least in 2.2.2, perhaps it worked
in 2.1.6), as long as the local role needed to execute it is added to the
user in a subfolder below it). If the role is added in the same folder or
a folder above the definition of the external method, it works.

Regards,

Martijn