[zope2-tracker] [Bug 490514] Re: XSS Vulnerability in ZMI
Tres Seaver
tseaver at palladion.com
Mon Nov 30 18:08:36 EST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Smith wrote:
> ** Attachment added: "Screenshot of the problem"
> http://launchpadlibrarian.net/36268764/xss_in_zope.jpg
>
> ** Visibility changed to: Public
>
status confirmed
assigned tseaver
This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::
<h1 tal:replace="structure here/manage_page_header">HEADER</h1>
<h1 tal:replace="structure here/manage_tabs">TABS</h1>
...
<h1 tal:replace="structure here/manage_page_footer">FOOTER</h1>
In this case, the code in the call_with_ns function (in
Products.PageTemplates.ZRPythonExpr) fails to ensure that "tainting"
is preserved.
The attached patch adds a test for this case and fixes the bug. I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tseaver at palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAksUUGoACgkQ+gerLs4ltQ7OzQCbBZ/WTM0C5kfRmEnYzxnIu4ns
Bd4AoNtahkj6k9Xek1De5H51HmCN2cux
=yIGq
-----END PGP SIGNATURE-----
** Attachment added: "lp490514-zpt_calling_dtml_preserve_tainting.patch"
http://launchpadlibrarian.net/36272448/lp490514-zpt_calling_dtml_preserve_tainting.patch
** Changed in: zope2
Status: New => Confirmed
--
XSS Vulnerability in ZMI
https://bugs.launchpad.net/bugs/490514
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
More information about the zope2-tracker
mailing list