[Zope] Security Problems?
Tino Wildenhain
tino@wildenhain.de
Wed, 09 May 2001 16:50:04 +0200
Hi Phil,
thats not a bug, its a feature :-)
You need
__allow_access_to_unprotected_subobjects__=1
somewhere in your class
Regards
Tino Wildenhain
--On Mittwoch, 9. Mai 2001 15:08 +0100 Phil Harris <phil.harris@zope.co.uk>
wrote:
>
> All,
>
> I've got a sneaking suspicion that there are some security problems in
> Zope 2.3.x.
> I've been trying to make a simple testcase and would like other (better)
> minds than mine to look at it.
> I have an external method which looks like:
>
> class c:
> def __init__(self,a):
> self.score=a
> self.test=a*a
>
> def t(self):
> retval=[]
> for a in range(1,10):
> retval.append(c(a))
> return retval
>
>
> The class 'c' is a very simple class, it has no methods and only two
> attributes/properties 'score' and 'test'.
> The external method 't' is also very simple, it just returns an array of
> class 'c'.
> The dtml-method I'm using to access this array is as follows:
>
> <dtml-var standard_html_header>
> <dtml-in t>
> <dtml-var "_['sequence-item'].score">
> </dtml-in>
> <dtml-var standard_html_footer>
>
> Nothing earth shattering there either.
>
> BUT, I get an unauthorized error raised with this traceback whenever I
> run this dtml-method:
> (note that a authentication login box is presented but NO user name is
> able to authenticate)
> Traceback (innermost last):
> File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in
> publish_module File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line
> 187, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line
> 171, in publish File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line
> 160, in mapply (Object: index_html)
> File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in
> call_object (Object: index_html)
> File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
> (Object: index_html)
> File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, in
> __call__ (Object: index_html)
> File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in
> renderwob (Object: t)
> File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in
> eval (Object: _['sequence-item'].score)
> (Info: _)
> File <string>, line 0, in ?
> File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in
> careful_getattr File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line
> 261, in validate (Object: index_html)
> File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 144,
> in validate File
> D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line 168, in
> validate Unauthorized: score
>
>
> All of this is run on a bog standard install of Zope 2.3.2 with no other
> products installed, no security changes done, REALLY bog standard.
>
> Anyone got any ideas?
>
> Cos this is doin my f'in ed in man?!?!?!?!?!?
>
> Phil
> phil.harris@zope.co.uk
>