[Zope3-Users] Security alert: use of Through-the-Web reStructuredText

David Pratt fairwinds at eastlink.ca
Sat Jul 8 11:49:59 EDT 2006


Jim Fulton wrote:
> Recently, a serious security flaw was found in Zope 2 due to it's 
> improper support for allowing reStructuredText to be edited 
> through-the-web.  reStructuredText has directives that allow inclusion 
> of any file a Zope process could read and inclusion of data obtained 
> from fetching arbitrary URLs.  In a trusted environment, these 
> directives have legitimate uses.  The feature of including files and URL 
> results should not be enabled for text entered from untrusted sources, 
> which applies to most through-the-web interactions.

Hi Jim. In the case of a wiki, it is the nature of a wiki that folks are 
able to edit through the web. Wouldn't data validation and any necessary 
alterations to the directives some sense as opposed to removing it from 
the zope3 mix?

> 
> The recent hotfix:
> 
>   http://www.zope.org/Products/Zope/Hotfix-2006-07-05/Hotfix-2006-07-05
> 
> addresses the problem for Zope 2.
> 
> It is safe to allow reStructuredText through the web with care.  The 
> inclusion of files or URL results can be disabled, but the programmer 
> must explicitly disable the feature.  It is not disabled by default. It 
> is also critical that a developer who exposes through-the-web 
> reStructuredText have tests to verify that the file/url inclusion 
> feature has been disabled.
> 
> Zope 3 itself, as released, doesn't have this problem because it doesn't 
> allow reST entry through the web.  There are third-party applications, 
> however, including 2 packages in the Zope 3 subversion tree that do have 
> this problem.  I strongly urge you to avoid using any Zope package that 
> allows through-the-web input of reStructuredText unless you can verify 
> that file/url has been properly disabled.
> 
> The zwiki and bugtracker packages do not currently disable file/url 
> inclusion and should not be used in situations in which users who are 
> not highly trusted have access to these applications.

Can you be explicit about the process of disabling file/url inclusion 
for zope3 (if this is the critical point you are making ). The use of 
restructured text is valuable in zope and obviously it is important to 
understand security measures that would allow its continued use.

If this can be done, why remove the products from the repository tree? 
Would it not be better to apply the necessary fixes?  Many thanks.

Regards,
David


More information about the Zope3-users mailing list