TALES: Non-simple path expressions may be evaluated in a string expression
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Undecided
|
Hanno Schlichting | ||
zope.tales |
Fix Released
|
Undecided
|
Tres Seaver |
Bug Description
Prudently, TALES string expressions attempt to prevent use of non-simple path expressions in their interpolated expressions. The regular expression used to detect this is flawed, and non-simple path expressions may be inserted simply by prefixing the path with a subpath which evaluates to False or raises an exception. For example:
string:foo ${python:bar} baz
would raise a compiler error;
string:foo ${nothing/
would not, but would yield the same expected result.
The definition of the _interp regular expression in zope.tales.
_interp = re.compile(
>>> _interp.
[('spam', ''), ('', 'eggs'), ('', 'foo/bar'), ('', 'waldo/
Not sure if this is strictly a security bug, but reporting it as one just in case.
Changed in zope2: | |
status: | New → Confirmed |
assignee: | nobody → Hanno Schlichting (hannosch) |
Changed in zope2: | |
milestone: | none → 2.13.14 |
Changed in zope2: | |
status: | Confirmed → Fix Released |
information type: | Public → Public Security |
Thanks for the report: I wouldn't class it as a security vulnerability, but
merely a failure to enforce the TALES spec:
http:// wiki.zope. org/ZPT/ TALESSpecificat ion13