[Zope] Security Problems?

Chris McDonough chrism@digicool.com
Wed, 9 May 2001 10:44:13 -0400 

Ignore the if not hasattr( in the t method below, sorry!
----- Original Message -----
From: "Chris McDonough" <chrism@digicool.com>
To: "Phil Harris" <phil.harris@zope.co.uk>; <zope@zope.org>
Sent: Wednesday, May 09, 2001 10:41 AM
Subject: Re: [Zope] Security Problems?


> Hi Phil,
>
> Defining classes in external methods is... an interesting experience.  I
> don't recommend it.  It gets tricky because the file that external methods
> are defined in isn't actually a Python module, so interpreting the
behavior
> is hard.
>
> That said, the security chapter of the developer's guide goes in to this a
> little (http://www.zope.org/Documentation/ZDG/Security.dtml).  The problem
> is that the instances you're putting in the array don't have any security
> declarations, therefore access to them is denied (raising the
unauthorized).
> The fix for this is to add security declarations to the class, e.g
> (untested):
>
> from AccessControl import ClassSecurityInfo
> from Globals import InitializeClass
>
> class c:
>     security = ClassSecurityInfo()
>     security.declareObjectPublic()
>     security.setDefaultAccess('allow')
>     def __init__(self,a):
>         self.score=a
>         self.test=a*a
>
> def t(self):
>     retval=[]
>     for a in range(1,10):
>         inst = c(a)
>         if not hasattr(
>         InitializeClass(c) # its dumb to do this every time.
>         retval.append(c(a))
>     return retval
>
>
> If this doesn't work for some reason (setDefaultAccess was broken in at
> least one Zope release), try to define the class c like so:
>
> class c:
>     __allow_access_to_unprotected_subobjects__ = 1
>     def __init__(self,a):
>         self.score=a
>         self.test=a*a
>
> ----- Original Message -----
> From: Phil Harris
> To: zope@zope.org
> Sent: Wednesday, May 09, 2001 10:08 AM
> Subject: [Zope] Security Problems?
>
>
> All,
>
> I've got a sneaking suspicion that there are some security problems in
Zope
> 2.3.x.
>
> I've been trying to make a simple testcase and would like other (better)
> minds than mine to look at it.
>
> I have an external method which looks like:
>
> class c:
>     def __init__(self,a):
>         self.score=a
>         self.test=a*a
>
> def t(self):
>     retval=[]
>     for a in range(1,10):
>         retval.append(c(a))
>     return retval
>
>
> The class 'c' is a very simple class, it has no methods and only two
> attributes/properties 'score' and 'test'.
>
> The external method 't' is also very simple, it just returns an array of
> class 'c'.
>
> The dtml-method I'm using to access this array is as follows:
>
> <dtml-var standard_html_header>
> <dtml-in t>
>   <dtml-var "_['sequence-item'].score">
> </dtml-in>
> <dtml-var standard_html_footer>
>
> Nothing earth shattering there either.
>
> BUT, I get an unauthorized error raised with this traceback whenever I run
> this dtml-method:
>
> (note that a authentication login box is presented but NO user name is
able
> to authenticate)
>
> Traceback (innermost last):
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in
> publish_module
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publish
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publish
>   File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in
> call_object
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in
> __call__
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in
> renderwob
>     (Object: t)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in
eval
>     (Object: _['sequence-item'].score)
>     (Info: _)
>   File &lt;string&gt;, line 0, in ?
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in
> careful_getattr
>   File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144,
in
> validate
>   File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line
168,
> in validate
> Unauthorized: score
>
>
> All of this is run on a bog standard install of Zope 2.3.2 with no other
> products installed, no security changes done, REALLY bog standard.
>
>
> Anyone got any ideas?
>
> Cos this is doin my f'in ed in man?!?!?!?!?!?
>
> Phil
> phil.harris@zope.co.uk
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>