Zope 2

Bug #490514
Comment #2

Comment 2 for bug 490514

Revision history for this message

Tres Seaver (tseaver) wrote on 2009-11-30: Re: [zope2-tracker] [Bug 490514] Re: XSS Vulnerability in ZMI

lp490514-zpt_calling_dtml_preserve_tainting.patch Edit (1.4 KiB, text/x-patch; name="lp490514-zpt_calling_dtml_preserve_tainting.patch")

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven L Smith wrote:
> ** Attachment added: "Screenshot of the problem"
> http://launchpadlibrarian.net/36268764/xss_in_zope.jpg
>
> ** Visibility changed to: Public
>

status confirmed
assigned tseaver

This bug is not actually present in the default ZMI, where the
views are all implemented as DTMLFiles. Rather, it shows up in
add-on product code (such as GenericSetup) which use
PageTemplateFiles for the ZMI, but call into the existing DTML
header and footer templates so::

  <h1 tal:replace="structure here/manage_page_header">HEADER</h1>
  <h1 tal:replace="structure here/manage_tabs">TABS</h1>
  ...
  <h1 tal:replace="structure here/manage_page_footer">FOOTER</h1>

In this case, the code in the call_with_ns function (in
Products.PageTemplates.ZRPythonExpr) fails to ensure that "tainting"
is preserved.

The attached patch adds a test for this case and fixes the bug. I plan
to check the patch in on the 2.10, 2.11, and 2.12 branches and on the trunk.

Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 <email address hidden>
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksUUGoACgkQ+gerLs4ltQ7OzQCbBZ/WTM0C5kfRmEnYzxnIu4ns
Bd4AoNtahkj6k9Xek1De5H51HmCN2cux
=yIGq
-----END PGP SIGNATURE-----