On Jul 8, 2006, at 11:49 AM, David Pratt wrote:
Jim Fulton wrote:
Recently, a serious security flaw was found in Zope 2 due to it's
improper support for allowing reStructuredText to be edited
through-the-web. reStructuredText has directives that allow
inclusion of any file a Zope process could read and inclusion of
data obtained from fetching arbitrary URLs. In a trusted
environment, these directives have legitimate uses. The feature
of including files and URL results should not be enabled for text
entered from untrusted sources, which applies to most through-the-
web interactions.
Hi Jim. In the case of a wiki, it is the nature of a wiki that
folks are able to edit through the web.
But a wiki can be edited in other formats that restructured text.
(Personally, I think
wikis should use tools like Epoz or Kupu to allow direct HTML
editing, but
that's a different matter.
Wouldn't data validation and any necessary alterations to the
directives some sense as opposed to removing it from the zope3 mix?
Sure, if someone is willing to do it and take responsibility. Note
that I'm not removing these from the release, because they've never
been in the release. I didn't even remove them from the repository,
I just removed them from the Zope 3 tree.
I'm convinced that TTW reST can be safe with suitable attention to
detail.
So far though, that hasn't happened. No one has come forward yet and
said
"I'll maintain this and be responsible for making sure we're secure
wrt reST".
The recent hotfix:
http://www.zope.org/Products/Zope/Hotfix-2006-07-05/
Hotfix-2006-07-05
addresses the problem for Zope 2.
Perhaps. We don't know for sure. We don't have tests. We don't know
if it can
be defeated using a reload product. It is also a very crude fix. It
prevents people
from creating add-ons that make legitimate use of file-inclusion or
the raw
directive. It was a great fix in an emergency -- and this was a
serious emergency,
but I don't want to use such a fix in Zope 3.
It is safe to allow reStructuredText through the web with care.
The inclusion of files or URL results can be disabled, but the
programmer must explicitly disable the feature. It is not
disabled by default. It is also critical that a developer who
exposes through-the-web reStructuredText have tests to verify that
the file/url inclusion feature has been disabled.
Zope 3 itself, as released, doesn't have this problem because it
doesn't allow reST entry through the web. There are third-party
applications, however, including 2 packages in the Zope 3
subversion tree that do have this problem. I strongly urge you to
avoid using any Zope package that allows through-the-web input of
reStructuredText unless you can verify that file/url has been
properly disabled.
The zwiki and bugtracker packages do not currently disable file/
url inclusion and should not be used in situations in which users
who are not highly trusted have access to these applications.
Can you be explicit about the process of disabling file/url
inclusion for zope3 (if this is the critical point you are
making ). The use of restructured text is valuable in zope and
obviously it is important to understand security measures that
would allow its continued use.
The reStructuredText documentation gives instructions for disabling it.
But something this risk needs people to be responsible. I'm not
seeing that. I expect someone to come forward eventually. Part of
being responsible is writing reasonably extensive tests.
If this can be done, why remove the products from the repository
tree? Would it not be better to apply the necessary fixes? Many
thanks.
Because their presence in the Zope 3 tree put people at serious
risk. If someone
wants to work on them, great, and they can release them as add-on
packages.
Jim
--
Jim Fulton mailto:[EMAIL PROTECTED] Python
Powered!
CTO (540) 361-1714
http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
_______________________________________________
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
