[Zope] Saturday morning SELECT

Paz paz@chello.nl
Sun, 11 Mar 2001 12:58:18 +0100


Hi there...

Just for pessimism's sake, I delved into it a bit further. I've created the
following. Total overkill on the processing, but the base implications are
still there. Ignore the fact that this goes around the ZObjects schema. My
first experience with Zope came after working for Compuware in Tech Support
for their Uniface product. Its sql engine would do all base level
transactions from a template scheme, and would perform a much more advanced
version of below. So I just want to look into the pros/cons of doing the
below. In other words humour me ;-)

About below:
A) Using SQLSession on top of this, you can ensure whether it runs or not...
In this instance, can -var instead of sqlvar really be hacked?

B) This is a simple select. If you give level rights to authenticated users,
then this could be extended to do any command providing the
SESSION['validate'] is set accordingly. Doesnt this make it much easier
then? What would still be wrong with this?

Thanks for reply,
Paz

-------
>ZQL Method<
select:required
as:optional
sfrom:required
where:optional
operand:optional
equals:optional
orderby:optional
dir:optional

<dtml-call "SESSION.set('validate', -1)">
<dtml-in "(_.str(select), _.str(as), _.str(sfrom), _.str(where),
_.str(operand), _.str(orderby), _.str(equals), _.str(dir))">
   <dtml-let a=sequence-item>
      <dtml-in "('create', 'drop', 'alter', 'rename', 'optimize', 'backup',
'restore', 'repair', 'delete', 'truncate', 'replace', 'update', 'kill',
'grant', 'revoke', 'set', 'lock')">
   <dtml-let b=sequence-item>
         <dtml-if "_.string.find(_.string.lower(a), b)!=-1">
             <dtml-call "SESSION.set('validate', 0)">
         <dtml-else>
             <dtml-call "SESSION.set('validate', 1)">
         </dtml-if>
   </dtml-let>
      </dtml-in>
   </dtml-let>
</dtml-in>
<dtml-if "SESSION['validate']==1">
   select <dtml-var select> <dtml-if "as">as <dtml-var as></dtml-if> from
<dtml-var sfrom> <dtml-if "where">where <dtml-var where> <dtml-if
"operand"><dtml-var operand><dtml-if "equals"><dtml-var
equals></dtml-if></dtml-if></dtml-if> <dtml-if "orderby">order by <dtml-var
orderby> <dtml-if "dir"><dtml-var dir></dtml-if></dtml-if>

<dtml-elif "SESSION['validate']==0">
   <span class="error">Pissoff Hacker.... You attempts to exploit the system
have been logged</span><dtml-comment><dtml-call "SESSION.set('state',
'ERROR')"></dtml-comment>
<dtml-elif "SESSION['validate']==-1">
   <span class="error">Nothing happened</span>
<dtml-else>
   <span class="error">There was an ERROR</span>
</dtml-if>



-----Original Message-----
From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of ender
Sent: Saturday, March 10, 2001 12:11 PM
To: Paz; Zope
Subject: Re: [Zope] Saturday morning SELECT


On Saturday 10 March 2001 01:14, Paz wrote:
>>Morning/Afternoon/Night,
>>
>>Lazy Saturday morning, and I can't be bothered to leave the house. I've
>> made a little template, but Im wondering if its Pandora's box...
>>
>>>ZSQL Method<
>>
>>select:required
>>as:optional
>>from:required
>>where:optional
>>
>>select <dtml-var select> <dtml-if "as">as <dtml-var as></dtml-if>
>>from <dtml-var from>
>><dtml-if "where">where <dtml-var where></dtml-if>
>><dtml-if "operand"><dtml-var operand></dtml-if>
>><dtml-if "equals"><dtml-var equals></dtml-if>
>>
>>It renders any way you please... Obviously you need very tight security on
>>this as to who can access it... But other than using AUTHENTICATED_USER,
is
>>there any possible way you might exploit this? I have a habit of doing
most
>>of my work in the db, and something like this would totally ease the way I
>>build forms.....

this is suicidal, IMO, in oracle i might try (obviously untested)
select == '1 from dual; drop table users cascade;'

you should try to use sqlvars in sqlmethods.

if you're just using it for development, maybe, but it seems rather risky to
me for anything production.

cheers kapil




_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )