DefaultPublishTraverse doesn't check for docstring on acquired methods

Bug #713253 reported by David Glick
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
High
Tres Seaver

Bug Description

While investigating the Plone vulnerability which will be patched next Tuesday, the Plone security team also became aware of a security issue in the ZPublisher affecting Zope 2.10 and greater.

ZPublisher.BaseRequest.DefaultPublishTraverse.publishTraverse contains a check to make sure that the traversed object has a docstring. Objects without a docstring are Forbidden (unless they were found by view lookup). However, there is a path through publishTraverse where this check is not performed, if the traversed object was found as an acquired attribute.

This means that if a method without security declarations is reached as foo/bar/callMe (where callMe is acquired from foo, and bar is acquired from some parent of foo), the method will be published even if it has no docstring. As an example exploit, in Plone the SearchableText index can be cleared from the catalog by hitting path/to/Plone/portal_catalog/Plone/clearIndex?name=SearchableText as an unauthenticated user.

I am attaching a patch against Zope 2.12 which fixes the issue by ensuring the docstring check takes place for acquired objects as well. There is a risk of this breaking code that relies on being able to redirect to an unprotected, undocstringed acquired method, but IMHO dealing with the security risk should take precedence over that concern. FWIW, I've been running this patch on a number of Plone sites for the past week and haven't identified any problems stemming from the patch.

The fix can't easily be applied as a hotfix (it would require monkeypatching DefaultPublishTraverse.publishTraverse AFAICT), so it would be nice to have new releases in the 2.10, 2.11, 2.12, and 2.13 series incorporating the fix.

Revision history for this message
David Glick (davisagli) wrote :
Tres Seaver (tseaver)
Changed in zope2:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
Revision history for this message
Tres Seaver (tseaver) wrote :

This patch adds a tests which fails without David's fix, and succeeds with it.

Revision history for this message
Matthew Wilkes (matthew-matthewwilkes) wrote : Re: [Bug 713253] Re: DefaultPublishTraverse doesn't check for docstring on acquired methods

Hi,

Has anyone got a CVE for this yet? I can ask for one, but it will take a few days.

Matt

Changed in zope2:
milestone: none → 2.12.15
status: Confirmed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.