[Zope] Re: REMOTE_USER Security Issue
Tres Seaver
tseaver at palladion.com
Mon May 15 14:16:03 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cliff Ford wrote:
> My people want to adopt a single sign-on system for web applications
> that is based on the REMOTE_USER environment variable. I have tried out
> RemoteUserFolder and also adapted exUserFolder to work similarly.
>
> My problem is that I figured out how a user who has permission to create
> python scripts (might work with dtml and page templates too) could
> access otherwise forbidden content by making calls that pretend to come
> from another user. Has any one else come across this problem and devised
> a solution, either in software or organisation?
>
> Problem verified with Zope 2.9.2 and latest RemoteUserFolder
User folders who care need to look at the request's 'environ' dict, e.g.::
remote_user = request.environ['REMOTE_USER'] # not hackable
rather than the default one where untrusted code can scribble::
remote_user = request['REMOTE_USER'] # hackable
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn
lPXu2KJoCLtTOSTyUJTIJ24=
=3r0r
-----END PGP SIGNATURE-----
More information about the Zope
mailing list