[Zope] external method and security

Marty Stitt marty.stitt@esker.com
Mon, 29 Jan 2001 15:29:05 -0600 

Hello,

I've written an external method that I call through xml-rpc.  It lets
me create files on the server from a stand-alone client application
that runs on the workstation of my users.

In testing it recently, I discovered that it will let me write files
to secured folders within my Zope system, even though I'm not yet
using the patch to xmlrpclib.py that supports authentication!

I'm running Zope 2.2.5 under redhat 7.0.

The external method is included below.

Any clues would be appreciated.   Thanks in advance....

Is it up to me to write my own security code when using an external
method?

--

import tempfile
import OFS.content_types
import OFS.FindSupport
import string

    
def EWSyncAdd(self, PARMS):
  """ Create a new DTMLDocument, Image, or File object """
  
  try: filename = PARMS['filename']
  except: return "missing parm: filename"
  try: timestamp = PARMS['timestamp']
  except: return "missing parm: timestamp"
  try: contents = PARMS['contents'].data
  except: return "missing parm: contents"
  try: title = PARMS['title']
  except: return "missing parm: title"

  truepathspec = fixRPCPath(self.REQUEST)
  folderObject = self.REQUEST.resolve_url(truepathspec)
  filespec = truepathspec + '/' + filename
  itemObject = None
  if filename in folderObject.objectIds():
    return "object already exists"
  
  type, enc=OFS.content_types.guess_content_type(filename, contents)
  if type in ('text/html', 'text/xml', 'text/plain'):

    # Create a DTMLDocument object

    folderObject.manage_addDocument(filename, title)
    itemObject = self.REQUEST.resolve_url(filespec)
    itemObject.manage_edit(contents, title)

  elif type[:6]=='image/':

    # Create an Image object

    f = tempfile.TemporaryFile()
    f.write(contents)
    f.seek(0)
    folderObject.manage_addImage(filename, f, title=title)
    f.close()
    itemObject = self.REQUEST.resolve_url(filespec)
    
  else:

    # Create a File object

    f = tempfile.TemporaryFile()
    f.write(contents)
    f.seek(0)
    folderObject.manage_addFile(filename, f, title=title)
    f.close()
    itemObject = self.REQUEST.resolve_url(filespec)

  if itemObject.getProperty('EWTimeStamp') is None:
    itemObject.manage_addProperty('EWTimeStamp', timestamp, 'string')
  else:
    itemObject.manage_changeProperties(None, EWTimeStamp=timestamp)

  return "OK"


def fixRPCPath(req):
  pathsegs = string.split(req['PATH_INFO'], '/')
  if pathsegs[1] == 'RPC2':
    del pathsegs[1]
  del pathsegs[-1]
  return 'http://' + req['HTTP_HOST'] + string.join(pathsegs, '/')

  


-- 
Martin Stitt
Chief Software Engineer
Esker, Inc.
email: marty.stitt@esker.com
phone: (608) 273-6000 x331
fax:   (608) 273-8227
web:   http://www.esker.com