[Zope-dev] Zope 2.7.0 beta 4 Release and Security Update
Zope 2.7.0 beta 4 Release and Security Update Zope 2.7.0 beta 4 contains a number of security related fixes for issues resolved during a comprehensive security audit conducted in Q4 2003. You may download Zope 2.7.0b4 from Zope.org: http://www.zope.org/Products/Zope/2.7.0b4/ **Users of the VerboseSecurity add-on product for Zope please note:** some of the security-related changes in Zope 2.7.0b4 are incompatible with the VerboseSecurity product. Please uninstall the VerboseSecurity product before upgrading to 2.7.0b4 to avoid problems. It is expected that VerboseSecurity will be updated to be compatible with Zope 2.7.0b4 in the near future. Also note that there are binary code changes in the 2.7.0b4 release, making it impossible to issue an external "hotfix" to resolve these issues. CVS users should be sure to update their sites **and rebuild the C Python extensions** to ensure that all fixes are deployed. In the fourth quarter of 2003, a comprehensive evaluation of the changes to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was designed to assess each change to the Python environment in terms of its potential impact on the Zope application server and Zope applications, with the goal of making Python 2.3.3 the required Python platform for Zope beginning with Zope 2.7. The evaluation was focused on assessing changes to Python in the following contexts: - Changes that would have compatibility or other effects on existing or new Zope applications - Changes that could potentially affect the Zope security architecture or change the behavior of the restricted execution environment used by Zope to run untrusted code In the course of the evaluation, very few of the Python changes in 2.3.3 directly affected the Zope security architecture or had impacts on the restricted execution model. However, a number of pre-existing potential issues were discovered and resolved in the course of the comprehensive security audit that was performed as a part of the Python upgrade evaluation: - For loops, list comprehensions, and other iterations in untrusted code Issue Description Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - List and dictionary instance methods in untrusted code Issue Description List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Use of import as in untrusted code Issue Description Use of "import as" in Python scripts could potentially rebind names in ways that could be used to avoid appropriate security checks. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Use of min, max, enumerate, iter, and sum in untrusted code Issue Description A number of newer built-ins were either unavailable in untrusted code or did not perform adequate security checking. Who Is Affected? Sites that allow untrusted users to write Python Scripts, Page Templates, and DTML. Resolution This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and higher. Affected sites are strongly encouraged to update their Zope installations to prevent this issue. - Broken binding validation in untrusted code Issue Description The variables bound to page templates and Python scripts such as "context" and "container" were not checked adequately, allowing a script to potentially access those objects without ensuring the necessary permissions on the part of the executing user. Who
[Zope-dev] Re: Builtins on Zope 2.6.3
Tres Seaver wrote:
Christian Theune wrote:
Hi,
i have the strange feeling that somebody forgot to include the
AccessControl.ZopeGuard.safe_builtins for DTML.
See DT_Utils.py around line 56 and the corresponding imports as well as
the definition of safe_builtins in ZopeGuard.py.
Could someone verify this?
Could you suggest a fragment of DTML which would serve as a test case?
Such a fragment would either:
- fails if your suspicion is true, but shouldn't?
- doesn't fail, but should.
What i found with a fresh 2.6.3-win32 and CMF-1.4.2 was this:
Traceback (innermost last):
Module ZPublisher.Publish, line 98, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 39, in call_object
Module Products.CMFCore.utils, line 348, in manage_propertiesForm
Module Shared.DC.Scripts.Bindings, line 261, in __call__
Module Shared.DC.Scripts.Bindings, line 292, in _bindAndExec
Module App.special_dtml, line 174, in _exec
Module DocumentTemplate.DT_In, line 703, in renderwob
Module DocumentTemplate.DT_Let, line 76, in render
Module DocumentTemplate.DT_Util, line 201, in eval
- __traceback_info__: select_variable
Module , line 0, in ?
AttributeError: min
This is in part already mentioned here:
http://zope.org/Collectors/Zope/1169
The bad with the missing "min" is, that it is used in CMF at
portal_types/{typename}/manage_propertiesForm (OFS/properties.dtml) to
create the size of the multiple select boxes.
So TTW/ZMI type-property administration is not possible.
--
Michael
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Where to put Zope 3 in Zope 2
I want to make the zope.interface (Zope 3 Interfaces) package available on the Zope 2 head (aka Zope 2.8). I propose to add lib/python/zope3 as a container for zope 3 packages. This new directory will be added to the path used by Zope 2. A separate directory is needed because there are packages in Zope 2 and Zope 3, most notably zope and Zope, with names differing only in case. I will also replace the existing Interfaces package with a facade package that uses zope.interfaces. Jim -- Jim Fulton mailto:[EMAIL PROTECTED] Python Powered! CTO (540) 361-1714http://www.python.org Zope Corporation http://www.zope.com http://www.zope.org ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Builtins on Zope 2.6.3
Christian Theune wrote: Hi, i have the strange feeling that somebody forgot to include the AccessControl.ZopeGuard.safe_builtins for DTML. See DT_Utils.py around line 56 and the corresponding imports as well as the definition of safe_builtins in ZopeGuard.py. Could someone verify this? Could you suggest a fragment of DTML which would serve as a test case? Such a fragment would either: - fails if your suspicion is true, but shouldn't? - doesn't fail, but should. FWIW, we *did* actually do "functional" testing, including: - Creating and minimally exercising every item available through the default ZMI add list; - Creating and verifying that DTMLDocument, DTMLMethod, PythonScript, and PageTemplate objects could show dynamic content; - Bringing up CMF 1.3.3 and 1.4.2, as well both with old and new sites; - Bringing up a new Plone 1.0.5 site and adding content; - Bringing up several of our large customer-specific applications. This testing *did* find several "brown-bag" issues, before the release, which hadn't been caught be the unit tests. Tres. -- === Tres Seaver[EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] Re: ANNOUNCE: Zope 2.6.3 Release and Security Update
Dennis Allison wrote: Tried to do the former, but Python 2.3.1 would not build on RH9 with significant brain surgery. Updated RH9 to the bleeding edge and got things mostly working except for some subsystems adn supporting systems which use threading and would not work under the new threading model without significant rework. Hence the decision to revert to RH7.3. Eventually we plan to move to a Gentoo system--I've been experimenting with Gentoo and have found it to be fairly easy to construct a customized, fast, and clean system although the time-to-build can be daunting. After some more testing I plan to move to Gentoo for production, a move motivated by the bad experience I've had with RH9 and RedHat's new business focus on the enterprise. I am tracking Whitebox Linux (http://www.whiteboxlinux.org) at the moment: it is a "rebuild-RHEL-3-from-SRPM-under-RH-trademark-policy" distro, which seems to have decent momentum (updates flow through quickly, for instance). One point of information, Tres. Was your positive experience over a range of machines. We've pretty much standardized on dual processor Athlon machines, 4GB memories, and hardware raid controllers in a RAID-10 configuration. It's possible that our problems with RH9 may be tied to some problem with their Athlon SMP systems. Hmm, good point; we are using Dell's datacenter-class boxen, which are all Intel hardware. Our experiences with Athlon-based boxes were less happy, even under 7.3: we attributed the problems to the fact that they were "homebrew" hardware, rather than to problems with RH Athlon kernels. Tres. -- === Tres Seaver[EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope and OS Pythons (Was:ANNOUNCE: Zope 2.6.3 Release and Security Update)
I have to agree with the recommendations of never running Zope with the OS Python. In fact, I usually don't even get it to work, since the OS Python have a tendency to not include modules included in the standard Python distribution, or behave weridly in some other way. For example, OpenBSD's standard binary Python used to barf on py files with Windows line endings, a big problem if you run a mixed environment. As to discussions in what OS to run, I can only say: OpenBSD. Very secure, dead easy to install and a very nice "source code" package delivery system in addition to the binary package distributions, removing the need to wait for the package to be recompiled by the package manager for your version of OpenBSD. Happily and securely runs several Zope servers even on old puny machines. :-) It doesn't work well as a client though, but as a server, I have yet to find anything to beat it. Well, maybe VMS was slightly better. :-) //Lennart ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Builtins on Zope 2.6.3
Hi, i have the strange feeling that somebody forgot to include the AccessControl.ZopeGuard.safe_builtins for DTML. See DT_Utils.py around line 56 and the corresponding imports as well as the definition of safe_builtins in ZopeGuard.py. Could someone verify this? Cheers, Christian -- Christian Theune, gocept gmbh & co. kg http://www.gocept.com - [EMAIL PROTECTED] fon: 03496 3099112 fax: 03496 3099118 mobile: 0179 7808366 signature.asc Description: Dies ist ein digital signierter Nachrichtenteil ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
