[Zope-dev] information disclosure vulnerability

[Jerome Alet]

Hi,

probably the HelpSys object shouldn't be available by default
to non-authenticated users, because it gives too much information 
on the currently installed products.

access any Zope site this way :

http://your.zope.site/HelpSys

and you'll learn what products are available on the server.

This can't lead to a direct compromise, but this gives way
too much information to anonymous users IMHO.

Tested today on several low and very high profile sites.

bye,

Jerome Alet

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: information disclosure vulnerability

[Maik Jablonski]

Jerome Alet wrote:

probably the HelpSys object shouldn't be available by default
to non-authenticated users, because it gives too much information 
on the currently installed products.

access any Zope site this way :

http://your.zope.site/HelpSys

and you'll learn what products are available on the server.

Another way to gather this data would be:

http://YourServer/Control_Panel/Products/ExternalEditor

gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a 
SiteError if not.

-mj





___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.

[Yusei TAHARA]

Hi.

> > I made monkey patch for myself, when management_page_charset is not
> > "UTF-8", this patch remove ":utf8:" from non unicode type input field.
> > because if input values are not latin-1, then unicode error raised.
> >
> > I think that every encoding can be used it satisfactory:-)
> >
> > Please consider whether it can merge into Zope2.6.1.
> 
> There are some details missing from your explanation, but hopefully not from 
> your patch. where do I find it?

What thing is concretely "some details"?

I'm very interested in Zope development, especially i18n.
So I would like to contribute something about it:-)

Thank you.

-- 
Yusei Tahara"So it goes"
[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.

[Toby Dickenson]

On Tuesday 03 December 2002 1:16 pm, Yusei TAHARA wrote:
> Hi.
>
> > > I made monkey patch for myself, when management_page_charset is not
> > > "UTF-8", this patch remove ":utf8:" from non unicode type input field.
> > > because if input values are not latin-1, then unicode error raised.
> > >
> > > I think that every encoding can be used it satisfactory:-)
> > >
> > > Please consider whether it can merge into Zope2.6.1.
> >
> > There are some details missing from your explanation, but hopefully not
> > from your patch. where do I find it?
>
> What thing is concretely "some details"?

The fix to this situation is more complicated than removing a ":utf8:" from 
somewhere that it shouldnt be. Im sure you know this.

> I'm very interested in Zope development, especially i18n.
> So I would like to contribute something about it:-)

The patch you mentioned?



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] wrapping unexistent objects

[Maurizio Boriani]

> "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes:

Casey> If you want an object to be able to handle calls to
Casey> undefined methods, you'll probably need to use a
Casey> __getattr__ hook. They can be a little tricky to get right
Casey> (you want to filter out names that start with "_" or "aq"
Casey> or else you'll be in trouble), and they don't have access
Casey> to acquisition, but they will allow you to intercept calls
Casey> to arbitrary names on an object.

have you some examples or docs about this? I'm tring using it but my product
felt in an unfinisched loop. Any suggestion

Casey> -Casey

TIA,
baux

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] wrapping unexistent objects

[Casey Duncan]

Its easy to create an infinite loop. To avoid these, do attribute lookups from 
the instance __dict__ rather than directly from self:

IOW, don't do:

foo = self.foo

or getattr(self, 'foo')

(This can trigger another __getattr__ call)

Instead do:

foo = self.__dict__['foo']

(This won't cause another getattr call)

As for examples, there is a complex one in the CMF Skinnable module and a 
simpler one in the Document module of my DocumentLibrary product.

-Casey

On Tuesday 03 December 2002 10:58 am, Maurizio Boriani wrote:
> > "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes:
> 
> Casey> If you want an object to be able to handle calls to
> Casey> undefined methods, you'll probably need to use a
> Casey> __getattr__ hook. They can be a little tricky to get right
> Casey> (you want to filter out names that start with "_" or "aq"
> Casey> or else you'll be in trouble), and they don't have access
> Casey> to acquisition, but they will allow you to intercept calls
> Casey> to arbitrary names on an object.
> 
> have you some examples or docs about this? I'm tring using it but my product
> felt in an unfinisched loop. Any suggestion
> 
> Casey> -Casey
> 
> TIA,
> baux
> 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Re: information disclosure vulnerability

[Jamie Heilman]

> http://YourServer/Control_Panel/Products/ExternalEditor
> 
> gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a 
> SiteError if not.

I believe this particular item can be worked around to a degree.
In the index_html in the root folder I simply put:
index_html

This helps hide the fact that certain objects are present, but it
doesn't protect from the HelpSys or other kinds of acquisition
treachery.  Ofcourse I can get away with this because I didn't need my
root index_html for content... if you have your site set up
differently you may have to wrap that with some URI checks first.

-- 
Jamie Heilman   http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid." -Buddy

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Permissions Mapping Screen

[Brian R Brinegar]

Is there any reason that the acquired permission mapping cannot be
displayed next to the check boxes on the Permission mapping screen?

For example if I have "Access User Information" checked in the root of a
site for Anonymous and I view the Security tab for a folder one level
down I would like to see a check symbol to the right of the
Anonymous/Access User Information check box.

This seems like it would be very very useful.

-Brian


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] wrapping unexistent objects

[Maurizio Boriani]

> "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes:

Casey> Its easy to create an infinite loop. To avoid these, do
Casey> attribute lookups from the instance __dict__ rather than
Casey> directly from self:

Casey> IOW, don't do:

Casey> foo = self.foo

Casey> or getattr(self, 'foo')

Casey> (This can trigger another __getattr__ call)

Casey> Instead do:

Casey> foo = self.__dict__['foo']

in my case foo is a method not a properties

Casey> (This won't cause another getattr call)

Casey> As for examples, there is a complex one in the CMF
Casey> Skinnable module and a simpler one in the Document module
Casey> of my DocumentLibrary product.

I tried this too but zope return an error ('Type Error, unsubscriptable object').

Exactly this is my case:

I've a class called, for example, pippo. This cotain another class called pluto.

So wath I'd like to do is:

  

  


the expr or method ciccio doesn't exist in pluto but I'd like to pass to a defined 
method the expr and its parameters.

A big thanks anymore for your help

bye,
baux 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] wrapping unexistent objects

[Casey Duncan]

Can you just use acquisition?

On Tuesday 03 December 2002 01:11 pm, Maurizio Boriani wrote:
> > "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes:
> 
> Casey> Its easy to create an infinite loop. To avoid these, do
> Casey> attribute lookups from the instance __dict__ rather than
> Casey> directly from self:
> 
> Casey> IOW, don't do:
> 
> Casey> foo = self.foo
> 
> Casey> or getattr(self, 'foo')
> 
> Casey> (This can trigger another __getattr__ call)
> 
> Casey> Instead do:
> 
> Casey> foo = self.__dict__['foo']
> 
> in my case foo is a method not a properties
> 
> Casey> (This won't cause another getattr call)
> 
> Casey> As for examples, there is a complex one in the CMF
> Casey> Skinnable module and a simpler one in the Document module
> Casey> of my DocumentLibrary product.
> 
> I tried this too but zope return an error ('Type Error, unsubscriptable 
object').
> 
> Exactly this is my case:
> 
> I've a class called, for example, pippo. This cotain another class called 
pluto.
> 
> So wath I'd like to do is:
> 
>   
> 
>   
> 
> 
> the expr or method ciccio doesn't exist in pluto but I'd like to pass to a 
defined method the expr and its parameters.
> 
> A big thanks anymore for your help
> 
> bye,
> baux 
> 
> 


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] wrapping unexistent objects

[Maurizio Boriani]

> "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes:

Casey> Can you just use acquisition?

But how could I without knowing wich method will be call? 


-- 
Maurizio Boriani -- Debian Developer
E-mail address: [EMAIL PROTECTED]
GPG key: 0xCC0FBF8F
fingerprint => E429 A37C 5259 763C 9DEE  FC8B 5D61 C796 CC0F BF8F <= fingerprint

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] [ANN] OrderedObjectManager Proposal

[Yuppie]

Zope Folders are already ordered collections. But so far the Zope Core 
has no API to manipulate the order of the contained objects.

This proposal suggests a solution:

http://dev.zope.org/Wikis/DevSite/Proposals/OrderedObjectManager


Comments are welcome!

Yuppie




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.

[Yusei TAHARA]

Hi.

> > What thing is concretely "some details"?
> 
> The fix to this situation is more complicated than removing a ":utf8:" from 
> somewhere that it shouldnt be. Im sure you know this.
At this point Zope2.6.x, my guess is that would not clear up
this problem completely.But my patch allows to use both type string and ustring
when a user set right encoding name to "management_page_charset".
This is a temporary trick, but works well.

> > I'm very interested in Zope development, especially i18n.
> > So I would like to contribute something about it:-)
> 
> The patch you mentioned?
I want to tackle this complicated problem in Zope development
rather than make my own patches.
Because the i18n is more benefit for minority languages such as japanese
than major one.I need it very much.

Thank you.
--
Yusei

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.

[Heiichiro NAKAMURA]

On Tue, 3 Dec 2002 14:52:31 +
Toby Dickenson <[EMAIL PROTECTED]> wrote:

> > > There are some details missing from your explanation, but hopefully not
> > > from your patch. where do I find it?
> >
> > What thing is concretely "some details"?
> 
> The fix to this situation is more complicated than removing a ":utf8:" from 
> somewhere that it shouldnt be. Im sure you know this.
> 
> > I'm very interested in Zope development, especially i18n.
> > So I would like to contribute something about it:-)
> 
> The patch you mentioned?



... seems like the things are in double bind situation, where
the current Unicode Support has a fundamental problem which
can't be resolved in straight manner, yet you are requesting
it and rejecting any other proposal (at least looks so to some
extent, even though you didn't intend to do so).

#  Probably one of the major cause of the miscommunication about
#  this topic is the difficulty of the understanding of different
#  culture, especially the sense of criticality and severity
#  of the problem: one party feels it's crucial and needs urgent
#  tentative fix while another feels it's minor and negligible.


Although the problem itself is very clear, no actions/progress
against the problem have happened yet.
Anyway, I think it's getting clear that there are no silver
bullets (patch) to shoot this problem. If so, the next step
which should be taken in such a situation is clear: rollback.

We should trace back until finding out what exactly is the fundamental
cause of the problem, then make the corrections or define the right
direction (as Toby already tried in 
<[EMAIL PROTECTED]>
and I think it's comprehensive).

I'm not clear the exact positioning of these documents:
  http://www.zope.org/Members/htrd/howto/unicode-zdg-changes
  http://www.zope.org/Members/htrd/howto/unicode
but it seems like these documents describes the basic design policy
of the current implementation of Unicode Support well.
#  For me, the problem looks much simpler in these documents rather
#  than the discussion about the detailed implementation.

So far, does it sound OK?  I would like to hear any opinion about this issue
(I know anybody in this ML is very busy ;)


Regards,
---
Heiichiro NAKAMURA <[EMAIL PROTECTED]>


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )