[Framework-Team] security hole in zope 2.10.4

Martin Aspeli optilude at gmx.net
Wed Jul 11 23:13:46 UTC 2007


Andreas Zeidler wrote:
> hi guys,
> 
> i think i just found a pretty nasty security issue in zope 2.10.4,  
> see http://mail.zope.org/pipermail/zope-dev/2007-July/029590.html for  
> a more detailed explaination.  the bug gives you completely  
> unrestricted access in all view templates, which is probably not what  
> we want, even though they cannot be changed ttw.  well, actually i  
> haven't tried customerizing them, but this actually should work...
> 
> anyway, if this turns out to hold true, i think we should either go  
> back to 2.10.3 for our rc1 or wait until this issue is fixed -- in  
> any case we shouldn't use 2.10.4 as is, imho.  what do you think?

We certainly can't go back to 2.10.3, we depend on features and fixes in 
2.10.4.

I think this is due to an issue I raised on the Five list a while back, 
and which Tres fixed.

Basically, I'd argue that .pt files for Five views are no less 
filesystem code than the .py files that house a view class. Previously, 
we had a weird situation where you got restrictedTraverse-like 
functionality using TALES (tal:replace='obj/attr') but not using python: 
expressions (tal:replace='python:obj.attr').

I have code which looks significantly funny or jumps through security 
hoops (arguably exposing too much information in the process) to deal 
with this bug (which is what I'd call it), and I'm really glad it's 
fixed. :)

Obviously, this may be a problem for five.customerize, which needs to be 
more restrictive. I suspect five.customerize would've had a "security 
hole" with python: expressions, though.

Martin




More information about the Framework-Team mailing list