[Zope] Script (Python) insecure ?

Andreas Jung lists at zopyx.com
Tue Aug 12 11:19:54 EDT 2008



--On 12. August 2008 16:05:47 +0200 Andreas Jung <lists at zopyx.com> wrote:

>
>
> --On 12. August 2008 14:16:44 +0200 Andreas Jung <lists at zopyx.com> wrote:
>
>> *sigh*
>>
>> I wished that both exploits were reported to the Zope bugtracker in order
>> to work on solutions before making the exploits public.
>>
>>
>> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <mal at egenix.com>
>> wrote:
>>
>>> Hello,
>>
>>
>>
>>>
>>> 1. Attack:
>>>
>>> Put this into a "Script (Python)" object and run it:
>>>
>>> return 'kaboom'.encode('test.testall')
>>>
>>> This results in a denial-of-service, since Zope will hang
>>> running the Python test suite.
>>>
>>> The reason for this is a problem in the way the encoding search
>>> function works in Python 2.4. This was changed in 2.5 to no longer
>>> allow searching for codecs outside the encodings package.
>>
>> That's pretty obscure behavior of Python 2.4...anyway.
>
> The followup for this issue is also on Launchpad including a possible
> solution:
>
> <https://bugs.launchpad.net/zope2/+bug/257276>
>
> The patches/monkey patches for both issues need review and testing.
>
> I am now working on a security advisory.
>
> For the hotfixes and testing I need definitely help since I am the road
> for the rest of the week and pretty busy and limited network connectivity.
>
>

I created a preliminary hotfix

<http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz/view>

After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.

That's all I can do for now - please test and improve the hotfix
if needed.

Thanks,
Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20080812/b156ba2b/attachment.bin 


More information about the Zope mailing list