[Zope] Re: REMOTE_USER Security Issue
Tres Seaver
tseaver at palladion.com
Tue May 16 10:00:00 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martijn Pieters wrote:
> On 5/16/06, Cliff Ford <Cliff.Ford at ed.ac.uk> wrote:
>
>> So I still wonder if anyone who is ising the REMOTE_USER environment
>> variable is aware of a problem and has a solution.
>
>
> Environment-related variables should not be "hackable" from restricted
> code. Please file a report in de Zope Collector:
>
> http://www.zope.org/Collectors/Zope
>
> You'll need to log in (create a Zope.org account if you don't yet have
> one), and make sure you check the 'security related' tickbox.
MJ:
Given the discussino here on the list already, *don't* tick that box, as
it will only make it harder to address the issue.
Cliff:
The 'environ', 'form', 'taintedform', and 'cookies' attributes of
ZPublisher's HTTPRequest are simple Python dicts, and hence can be
modified by untrusted code (I thought they were instances of a derived,
read-only class). If this is an issue for third-party code (such as
your user folder), then you likely need to monkey-patch
ZPublisher.HTTPRequest to lock them down. I'm attaching a patch which
does that for 'environ'; similar tweaks might be required for the others.
Given the possibility of a BBB foul (third-party code may *legitimately*
expect to be able to mutate one or more of these dicts), we would
probably have to land these changes as configurable options, defaulting
(at least initially) to the current behavior.
Before you chase this down, please verify that the user folder you use
*can* be tricked this way: for instance, if the authentication always
occurs *before* your script is executed, then the scribbling is only an
annoyance, rather than a hole.
Tres.
- --
===================================================================
Tres Seaver +1 202-558-7113 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEadrg+gerLs4ltQ4RAlLiAKCzSAM7XJcG0+79EQxMYHz7HQQFIQCffDuS
4WIEwx4hoOZ/0c81ZECFIcY=
=YQMp
-----END PGP SIGNATURE-----
More information about the Zope
mailing list