DefaultPublishTraverse doesn't check for docstring on acquired methods
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
High
|
Tres Seaver |
Bug Description
While investigating the Plone vulnerability which will be patched next Tuesday, the Plone security team also became aware of a security issue in the ZPublisher affecting Zope 2.10 and greater.
ZPublisher.
This means that if a method without security declarations is reached as foo/bar/callMe (where callMe is acquired from foo, and bar is acquired from some parent of foo), the method will be published even if it has no docstring. As an example exploit, in Plone the SearchableText index can be cleared from the catalog by hitting path/to/
I am attaching a patch against Zope 2.12 which fixes the issue by ensuring the docstring check takes place for acquired objects as well. There is a risk of this breaking code that relies on being able to redirect to an unprotected, undocstringed acquired method, but IMHO dealing with the security risk should take precedence over that concern. FWIW, I've been running this patch on a number of Plone sites for the past week and haven't identified any problems stemming from the patch.
The fix can't easily be applied as a hotfix (it would require monkeypatching DefaultPublishT
Changed in zope2: | |
assignee: | nobody → Tres Seaver (tseaver) |
status: | New → Confirmed |
Changed in zope2: | |
milestone: | none → 2.12.15 |
status: | Confirmed → Fix Released |
visibility: | private → public |
This patch adds a tests which fails without David's fix, and succeeds with it.