[Zope] Security Problems?

Phil Harris phil.harris@zope.co.uk
Wed, 9 May 2001 15:08:17 +0100 

This is a multi-part message in MIME format.

------=_NextPart_000_026D_01C0D899.E08A4D90
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

All,

I've got a sneaking suspicion that there are some security problems in =
Zope 2.3.x.

I've been trying to make a simple testcase and would like other (better) =
minds than mine to look at it.

I have an external method which looks like:

class c:
    def __init__(self,a):
        self.score=3Da
        self.test=3Da*a

def t(self):
    retval=3D[]
    for a in range(1,10):
        retval.append(c(a))
    return retval


The class 'c' is a very simple class, it has no methods and only two =
attributes/properties 'score' and 'test'.

The external method 't' is also very simple, it just returns an array of =
class 'c'.

The dtml-method I'm using to access this array is as follows:

<dtml-var standard_html_header>
<dtml-in t>
  <dtml-var "_['sequence-item'].score">
</dtml-in>
<dtml-var standard_html_footer>

Nothing earth shattering there either.

BUT, I get an unauthorized error raised with this traceback whenever I =
run this dtml-method:=20

(note that a authentication login box is presented but NO user name is =
able to authenticate)

Traceback (innermost last):
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in =
publish_module
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in =
publish
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in =
publish
  File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in =
call_object
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, =
in __call__
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in =
renderwob
    (Object: t)
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in =
eval
    (Object: _['sequence-item'].score)
    (Info: _)
  File &lt;string&gt;, line 0, in ?
  File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in =
careful_getattr
  File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate
    (Object: index_html)
  File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line =
144, in validate
  File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line =
168, in validate
Unauthorized: score


All of this is run on a bog standard install of Zope 2.3.2 with no other =
products installed, no security changes done, REALLY bog standard.


Anyone got any ideas?

Cos this is doin my f'in ed in man?!?!?!?!?!?

Phil
phil.harris@zope.co.uk


------=_NextPart_000_026D_01C0D899.E08A4D90
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>All,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I've got a sneaking suspicion that =
there are some=20
security problems in Zope 2.3.x.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I've been trying to make a simple =
testcase and=20
would like other (better) minds than mine to look at it.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I have an external method which looks=20
like:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV><FONT face=3DArial =
size=3D2>
<DIV>class c:<BR>&nbsp;&nbsp;&nbsp; def=20
__init__(self,a):<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
self.score=3Da<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
self.test=3Da*a</DIV>
<DIV>&nbsp;</DIV>
<DIV>def t(self):<BR>&nbsp;&nbsp;&nbsp; =
retval=3D[]<BR>&nbsp;&nbsp;&nbsp; for a in=20
range(1,10):<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
retval.append(c(a))<BR>&nbsp;&nbsp;&nbsp; return retval<BR></DIV>
<DIV>&nbsp;</DIV>
<DIV>The class 'c' is a very simple class, it has no methods and only =
two=20
attributes/properties 'score' and 'test'.</DIV>
<DIV>&nbsp;</DIV>
<DIV>The external method 't' is also very simple, it just returns an =
array of=20
class 'c'.</DIV>
<DIV>&nbsp;</DIV>
<DIV>The dtml-method I'm using to access this array is as follows:</DIV>
<DIV>&nbsp;</DIV>
<DIV>&lt;dtml-var standard_html_header&gt;<BR>&lt;dtml-in =
t&gt;<BR>&nbsp;=20
&lt;dtml-var =
"_['sequence-item'].score"&gt;<BR>&lt;/dtml-in&gt;<BR>&lt;dtml-var=20
standard_html_footer&gt;<BR></DIV>
<DIV>Nothing earth shattering there either.</DIV>
<DIV>&nbsp;</DIV>
<DIV>BUT, I get an unauthorized error raised with this traceback =
whenever I run=20
this dtml-method: </DIV>
<DIV>&nbsp;</DIV>
<DIV>(note that a authentication login box is presented but NO user name =
is able=20
to authenticate)</DIV>
<DIV>&nbsp;</DIV>
<DIV>Traceback (innermost last):<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in=20
publish_module<BR>&nbsp; File =
D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line=20
187, in publish<BR>&nbsp; File =
D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py,=20
line 171, in publish<BR>&nbsp; File =
D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py,=20
line 160, in mapply<BR>&nbsp;&nbsp;&nbsp; (Object: index_html)<BR>&nbsp; =
File=20
D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in=20
call_object<BR>&nbsp;&nbsp;&nbsp; (Object: index_html)<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in=20
__call__<BR>&nbsp;&nbsp;&nbsp; (Object: index_html)<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in=20
__call__<BR>&nbsp;&nbsp;&nbsp; (Object: index_html)<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in=20
renderwob<BR>&nbsp;&nbsp;&nbsp; (Object: t)<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in=20
eval<BR>&nbsp;&nbsp;&nbsp; (Object:=20
_['sequence-item'].score)<BR>&nbsp;&nbsp;&nbsp; (Info: _)<BR>&nbsp; File =

&amp;lt;string&amp;gt;, line 0, in ?<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in=20
careful_getattr<BR>&nbsp; File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, =
line=20
261, in validate<BR>&nbsp;&nbsp;&nbsp; (Object: index_html)<BR>&nbsp; =
File=20
D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144, in=20
validate<BR>&nbsp; File=20
D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in =

validate<BR>Unauthorized: score</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>All of this is run on a bog standard install of Zope 2.3.2 with no =
other=20
products installed, no security changes done, REALLY bog standard.</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>Anyone got any ideas?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Cos this is doin my f'in ed in man?!?!?!?!?!?</DIV>
<DIV>&nbsp;</DIV>
<DIV>Phil</DIV>
<DIV><A =
href=3D"mailto:phil.harris@zope.co.uk">phil.harris@zope.co.uk</A></DIV>
<DIV>&nbsp;</DIV></FONT></BODY></HTML>

------=_NextPart_000_026D_01C0D899.E08A4D90--