[Zope] Security Problems?

Phil Harris phil.harris@zope.co.uk
Thu, 10 May 2001 11:20:56 +0100


Chris,

Thanks for the advice but something doesn't scope:

The '__allow_access_to_unprotected_subobjects__ =3D 1' hack doesn't work =
in
this case for some reason.  That was one of the things I'd tried before
sending the post.

The other case does work in this instance but there is, to my mind,
something still not ringing true.

For example, using the ZPT stuff, if you put here/title as an output
variable (similar to <dtml-var title>), you get the same unauthorized
traceback as stated below.  This means that the object doesn't have acces=
s
to it's own properties, surely not!

I'm not saying that there is a security hole in Zope, quite the opposite.
Access is being denied to things that the current user should have access
to.  This has meant that I'm having to loosen security on some of my 'bit=
s'
to allow the user to see things correctly.  This only started happening w=
ith
2.3.x (and maybe some of the betas). Zope 2.2.x did not to seem to have t=
his
problem.

I've seen spurious mention of similar things over the last few months fro=
m
other Zope users as well, but then I do feel slightly paranoid at the
moment, maybe I'm just looking at the world through shitty colored glasse=
s
8=AC(.  I will try and dredge some of these things up, either to fuel the=
 fire
or put it out. ;)

If the above case doesn't cover it I'm going to have to find another test
case, even if it's just to prove to myself that there is nothing wrong. ;=
)

Thanks for the help.

Phil

----- Original Message -----
From: "Chris McDonough" <chrism@digicool.com>
To: "Phil Harris" <phil.harris@zope.co.uk>; <zope@zope.org>
Sent: Wednesday, May 09, 2001 3:41 PM
Subject: Re: [Zope] Security Problems?


> Hi Phil,
>
> Defining classes in external methods is... an interesting experience.  =
I
> don't recommend it.  It gets tricky because the file that external meth=
ods
> are defined in isn't actually a Python module, so interpreting the
behavior
> is hard.
>
> That said, the security chapter of the developer's guide goes in to thi=
s a
> little (http://www.zope.org/Documentation/ZDG/Security.dtml).  The prob=
lem
> is that the instances you're putting in the array don't have any securi=
ty
> declarations, therefore access to them is denied (raising the
unauthorized).
> The fix for this is to add security declarations to the class, e.g
> (untested):
>
> from AccessControl import ClassSecurityInfo
> from Globals import InitializeClass
>
> class c:
>     security =3D ClassSecurityInfo()
>     security.declareObjectPublic()
>     security.setDefaultAccess('allow')
>     def __init__(self,a):
>         self.score=3Da
>         self.test=3Da*a
>
> def t(self):
>     retval=3D[]
>     for a in range(1,10):
>         inst =3D c(a)
>         if not hasattr(
>         InitializeClass(c) # its dumb to do this every time.
>         retval.append(c(a))
>     return retval
>
>
> If this doesn't work for some reason (setDefaultAccess was broken in at
> least one Zope release), try to define the class c like so:
>
> class c:
>     __allow_access_to_unprotected_subobjects__ =3D 1
>     def __init__(self,a):
>         self.score=3Da
>         self.test=3Da*a
>
> ----- Original Message -----
> From: Phil Harris
> To: zope@zope.org
> Sent: Wednesday, May 09, 2001 10:08 AM
> Subject: [Zope] Security Problems?
>
>
> All,
>
> I've got a sneaking suspicion that there are some security problems in
Zope
> 2.3.x.
>
> I've been trying to make a simple testcase and would like other (better=
)
> minds than mine to look at it.
>
> I have an external method which looks like:
>
> class c:
>     def __init__(self,a):
>         self.score=3Da
>         self.test=3Da*a
>
> def t(self):
>     retval=3D[]
>     for a in range(1,10):
>         retval.append(c(a))
>     return retval
>
>
> The class 'c' is a very simple class, it has no methods and only two
> attributes/properties 'score' and 'test'.
>
> The external method 't' is also very simple, it just returns an array o=
f
> class 'c'.
>
> The dtml-method I'm using to access this array is as follows:
>
> <dtml-var standard_html_header>
> <dtml-in t>
>   <dtml-var "_['sequence-item'].score">
> </dtml-in>
> <dtml-var standard_html_footer>
>
> Nothing earth shattering there either.
>
> BUT, I get an unauthorized error raised with this traceback whenever I =
run
> this dtml-method:
>
> (note that a authentication login box is presented but NO user name is
able
> to authenticate)
>
> Traceback (innermost last):
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 223, in
> publish_module
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 187, in publi=
sh
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 171, in publi=
sh
>   File D:\ZOPE_T~1\lib\python\ZPublisher\mapply.py, line 160, in mapply
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\ZPublisher\Publish.py, line 112, in
> call_object
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 189, in __call__
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_String.py, line 538, =
in
> __call__
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_In.py, line 717, in
> renderwob
>     (Object: t)
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 334, in
eval
>     (Object: _['sequence-item'].score)
>     (Info: _)
>   File &lt;string&gt;, line 0, in ?
>   File D:\ZOPE_T~1\lib\python\DocumentTemplate\DT_Util.py, line 140, in
> careful_getattr
>   File D:\ZOPE_T~1\lib\python\OFS\DTMLMethod.py, line 261, in validate
>     (Object: index_html)
>   File D:\ZOPE_T~1\lib\python\AccessControl\SecurityManager.py, line 14=
4,
in
> validate
>   File D:\ZOPE_T~1\lib\python\AccessControl\ZopeSecurityPolicy.py, line
168,
> in validate
> Unauthorized: score
>
>
> All of this is run on a bog standard install of Zope 2.3.2 with no othe=
r
> products installed, no security changes done, REALLY bog standard.
>
>
> Anyone got any ideas?
>
> Cos this is doin my f'in ed in man?!?!?!?!?!?
>
> Phil
> phil.harris@zope.co.uk
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )