Zope 2

PythonScripts attackable through encode()/decode() call

Bug #257276 reported by Andreas Jung
260
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
Critical
Unassigned

Bug Description

Reported by MA. Lembug on the <email address hidden> list:

A PythonScript containing

return 'foo'.encode('test.testall')

can act as a denial-of-service attack since it executes all Python
unittests

Affects: likely all released Zope versions where "untrusted" users
have access to the ZMI/PythonScripts

Andreas Jung (ajung)
Changed in zope2:
importance: Undecided → Critical
status: New → Confirmed
Revision history for this message
Andreas Jung (ajung) wrote :

I created a monkey patch with the help of Philipp and MA Lemburg

http://svn.zope.org/Zope/trunk/?rev=89727&view=rev

NOTE:

# This code is taken from the encodings module of Python 2.4.
# Note that this code is originally (C) CNRI and it is possibly not compatible
# with the ZPL and therefore should not live within svn.zope.org. However this
# checkin is blessed by Jim Fulton for now. The fix is no longer required with
# Python 2.5 and hopefully fixed in Python 2.4.6 release.

Revision history for this message
M.-A. Lemburg (mal-egenix) wrote :

Thanks for creating the patch.

Note that it is unlikely that Python 2.4.6 will fix this problem, since it was actually a feature in Python 2.0-2.4 that allowed to easily add user-written codec packages to Python.

Due to the possible security implications, we decided to remove this feature again in Python 2.5 and instead point programmers to register their own codec search functions.

Revision history for this message
Maurits van Rees (maurits-vanrees) wrote :

For the record, when I make a python script with only the mentioned line, I just get an error:

  LookupError: unknown encoding: test.testall

That is *without* the hotfix installed. So this part of the security problem will not occur everywhere it seems. Tried in Zope 2.10 and 2.11.

That's on Ubuntu gutsy with the system python:
Python 2.4.4 (#2, Jul 31 2008, 23:57:57)
[GCC 4.1.3 20070929 (prerelease) (Ubuntu 4.1.2-16ubuntu2)] on linux2

I can reproduce the other security problem; hotfix works for me. Thanks!

Revision history for this message
Andreas Jung (ajung) wrote :

A hotfix is available

http://www.zope.org/Products/Zope/Hotfix-2008-08-12/

Changed in zope2:
status: Confirmed → Fix Released
Revision history for this message
Gael Le Mignot (gael-pilotsystems) wrote :

The Hotfix breaks our Zope 2.7 (running with Python 2.3). This is because _aliases don't exist on Python 2.3.

In general, it's a very bad idea to copy/paste the code when doing a monkey-patch, calling the old function back after doing your checks (or after mangling the input, or before mangling the output, depending of your needs) is much less prone to break with different versions.

Here is the modified __init__.py we use on our Zope 2.7. It may not be as complete as the original one, but at least it works.

Revision history for this message
Andreas Jung (ajung) wrote :

The Python 2.3 compatibility issue has been resolved in V 1.1 of the hotfix. Please trible check.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.