On Fri, 2002-08-09 at 10:43, Toby Dickenson wrote: > On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote: > > On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: > > > > The risk for breakage is very small really > > > > > > Your choice of '<' and html_quote suggests that my dtml code which > > > generates javascript and vbscript carries a higher risk than dtml which > > > generates html. > > > > Only if you generated that script using data from the REQUEST, implicitly. > > Yes > > > Which was bad in the first place. > > I agree it is true in most cases, but not all. Have you analysed how many > applications will be broken by this? how they can detect the breakage? I > certainly will not have time to assess the implications on my applications > before the scheduled release of 2.6. > > > > >, and breakage > > > > will generally only occur when someone is trying to exploit the > > > > weakness, not in normal operation of the site. > > > > > > The fact that your change uses html_quote to 'fix' the problem rather > > > than sounding 'hacker alert' alarm bells suggests to me that you dont > > > really believe that ;-) > > > > Again, the wide scope of DTML use would make such bells warble prematurely > > all too often. > > 'all too often' also contradicts your statements that this will not happen in > normal operation of the site, and that the risk of breakage is 'very small'. > > > Like I said before, this is probably a good feature. If it was available as a > patch then I would probably use it on a number of my sites, and would > recommend it to others. I would be very happy see it (or something like it) > in 2.7. > > But not 2.6.
Martijn did add a knob to turn the feature off, via a new environment variable. With a security vulnerability, we have to come up with some kind of balance between the need to propagate the fix as quickly as possible and the need (as you point out) not to disrupt production sites unduly. I don't believe we can afford to wait a whole other release cycle for this fix; Brian, Jim, and Martijn deemed the fix too pervasive to be bundled as a hotfix, which offers us little choice except to included it in current releases. Whithout the fix, virtually every Zope site in the world is vulnerable to URL-based cross-site scripting exploits. For instance, any URL which contains invalid form variable marshalling can generate an error page which includes the erroneous value, unquoted. E.g.: <URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealert('Owned')%3C/script%3E> Tres. -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )