[Zope] Script (Python) insecure ?

M.-A. Lemburg mal at egenix.com
Tue Aug 12 19:01:42 EDT 2008 

On 2008-08-12 20:49, Andreas Jung wrote:
> --On 12. August 2008 17:14:15 +0000 Maurits van Rees 
> <m.van.rees at zestsoftware.nl> wrote:
> 
>> Andreas Jung, on 2008-08-12:
>>>>> After rough test: it seems to work for Zope trunk, 2.10 and 2.11
>>>>> but has a failure for Zope 2.8.
>>>>
>>>> I forgot to mention that the hotfix also seems to work for Zope 2.9.
>>>> (third-party confirmations are highly appreciated).
>>>
>>> Update: the hotfix although works for Zope 2.8 (tested with
>>> a running Zope instance - however the testrunner does not seem
>>> to import Hotfix though the included tests under 2.8 aren't
>>> found/executed).
>>
>> In Zope 2.8, when I place the Hotfix in the Products dir of the
>> instance, the two tests pass when I run the tests like this:
>>
>>   bin/zopectl test --dir=Products/Hotfix_20080812/
>>
>> That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz
>>
>> I tested on Zope 2.8, 2.9, 2.10, 2.11.  All with python 2.4.  Without
>> the hotfix "raise SystemExit" crashed Zope.  I could not confirm the
>> other problem; that just gave me a LookupError.  With the hotfix in
>> the Products dir of the instance, the crash did not occur and the
>> tests passed.

The .encode() example will only trigger if the Python test suite is
installed in your Python version. Some distros move this into a
separate package, so if this is not installed, that particular
example won't work.

> Thanks for further testing. I released V 0.2 of the hotfix containing
> your fixes. The hotfix also works with Zope 2.7...this should be enough.
> If there are no objections I would like to release the hotfix officially 
> at some time tomorrow.

Please add a warning to be extra careful when enabling edit/create/modify
access to PythonScripts in the ZMI.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 13 2008)
 >>> Python/Zope Consulting and Support ...        http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

:::: Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! ::::


    eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
     D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
            Registered at Amtsgericht Duesseldorf: HRB 46611

More information about the Zope mailing list