seb bacon wrote: > The file upload vulnerability was fixed in version 1.3 of Examples.zexp, > though. The reason it's still turning up in 2.6.x versions is probably > due to upgrades. Therefore I suppose additionally there should be a > patch which examines the ZODB on startup and prints a warning if an old > Examples folder is present.
I opted for a patch that simply removes all the magic auto-install crud and goes for the installer link on the quick-start page. As for previous zope installations, well, I don't feel like trying to figure out how to examine the zodb and warn people if they've got bad examples still installed, it strikes me as too much junk in the startup procedure which is already too slow as it is. I say chalk it up as a lessoned learned and move on. As for my reworked examples, I added missing quoting to the navigation examples, size limits and entry limits to the guest book, size limits and entry limits to the file library, and additional sanity checking and robustness to just about everything. Examining the original advisory this is how I break it down: 1) moot with the addition of SiteErrorLog 2) Examples/db no longer exists in the Examples, I'm unaware if it ever did, at any rate, not a problem 3) moot with the addition of SiteErrorLog 3a) this is a problem, see below 3b) fixed in my reworking 3c) I was unable to reproduce this, maybe a bug with older Zopes? extra notes) wtf? I have no idea what the the advisory author was trying to say by including that diff, and I have feeling he doesn't know either. I mean, it has the words 'examples' and 'security' in it, but that doesn't make it relevant. There is unfortunately, a snag. One of the exploits (3a) as it turns out is actually a problem deeper down. To isolate a test case make a script like: ## Script (Python) "aww_shit_now_what" ##bind container=container ##bind context=context ##bind namespace= ##bind script=script ##bind subpath=traverse_subpath ##parameters=i ##title= ## return int(i) Then call it http://host/aww_shit_now_what=<b>old+flava' This can be disarmed by ensuring that in your standard_error_message you quote the results of error_msg, however this isn't the default, and it will result in a lot of broken and ugly looking (albeit safer) error pages. I haven't fully figured out exactly whats going on with that whole thing yet. I have a feeling its atributable to either raise_standardErrorMessage's "smart" tag searching, or some other auto-magical aspect of the error handling framework. (clues appreciated) In the mean time I suggest quoting error_msg. -- Jamie Heilman http://audible.transient.net/~jamie/ "...thats the metaphorical equivalent of flopping your wedding tackle into a lion's mouth and flicking his lovespuds with a wet towel, pure insanity..." -Rimmer _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )