error_message & SimpleItem.raise_standardErrorMessage facilitate cross site scripting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
New
|
Medium
|
Unassigned |
Bug Description
Problem summary:
1) error_value is promoted to error_message if it appears to contain markup in SimpleItem.
2) The default standard_
3) error_value can be goaded into containing markup chosen by a remote client
Problem History:
The promotion of a tainted error_value was uncovered in http://
(vulnerability 3a) though it wasn't identified as such.
Test Cases:
Make a Script (Python) object named 'intpromo' containing:
## Script (Python) "intpromo"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=
##parameters=i
##title=
##
return int(i)
Now request it, http://
Workaround:
Either use html quoting with error_message in the standard_
Suggested Long-term Fix:
Remove error_value promotion from raise_standardE
Please mark this bug as publicly visible, Zope administrators need to know how to protect their installations until this issue is addressed by an official release or hotfix.
visibility: | private → public |