[Zope-dev] manage_form_title patch

Sun, 18 Jan 2004 02:12:15 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Shane Hathaway wrote:
|
| We are protecting ourselves from nasty URLs written by anyone on the web.
| Because DTML is so implicit, it is conceivable that an URL like the
| following might kill your site (or worse!):
|
|
http://zope.example.com/?title=<script>document.location=/Control_Panel/manage_shutdown</script>
|
| For a black hat to exploit your site, he only needs to convince you to
| follow the link.  This is what is known as a cross-site scripting bug and
| it's a widespread problem for all dynamic web servers like Zope.  People
| are really concerned about it.  The only cure is to HTML-quote by
default.
| FWIW:
|
| http://www.cgisecurity.com/articles/xss-faq.shtml
|
| Shane

The affixed patch makes it impossible to call manage_form_title
directly, and thus elimates xss attacks on it.

This method (and probably loads more) wasn't designed to be public, but
inherited this feature by virtue of being implemented as DTML.

Can someone please check and apply this patch (and back out the patch
html-quoting the form-title on manage_form_title.dtml) :)

TIA, Alan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Comment:

iD8DBQFACk1pCfroLk4EZpkRAtt/AJ9dm/I41iFTgsmtgeBUNN8B5Le8RgCfX9uz
vMqNG+w+QM8ioj1lENj/3q4=
=4Ukw
-----END PGP SIGNATURE-----

--- App/Management.py   Sun Jan 18 19:43:55 2004
+++ App/Management.py.save      Sun Jan 18 19:30:07 2004
@@ -173,14 +173,11 @@
     manage_page_header=DTMLFile('dtml/manage_page_header', globals())
     manage_page_footer=DTMLFile('dtml/manage_page_footer', globals())
 
-    _manage_form_title =DTMLFile('dtml/manage_form_title', globals(),
+    manage_form_title =DTMLFile('dtml/manage_form_title', globals(),
                                 form_title='Add Form',
                                 help_product=None,
                                 help_topic=None)
-    def manage_form_title(self, *args, **kw):
-       return self._manage_form_title(self, *args, **kw)
-
-    _manage_form_title._setFuncSignature(
+    manage_form_title._setFuncSignature(
         varnames=('form_title', 'help_product', 'help_topic') )
     manage_form_title__roles__ = None
 

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to