PythonScripts attackable through encode()/decode() call
Bug #257276 reported by
Andreas Jung
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Reported by MA. Lembug on the <email address hidden> list:
A PythonScript containing
return 'foo'.encode(
can act as a denial-of-service attack since it executes all Python
unittests
Affects: likely all released Zope versions where "untrusted" users
have access to the ZMI/PythonScripts
Changed in zope2: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
To post a comment you must log in.
I created a monkey patch with the help of Philipp and MA Lemburg
http:// svn.zope. org/Zope/ trunk/? rev=89727& view=rev
NOTE:
# This code is taken from the encodings module of Python 2.4.
# Note that this code is originally (C) CNRI and it is possibly not compatible
# with the ZPL and therefore should not live within svn.zope.org. However this
# checkin is blessed by Jim Fulton for now. The fix is no longer required with
# Python 2.5 and hopefully fixed in Python 2.4.6 release.