Possible Security Exposure re TALES Namespaces
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 3 |
Fix Released
|
Medium
|
Christian Theune |
Bug Description
On page# 329 of Stephan's _Zope Developers Handbook_, an example is given of how to implement a new TALES namespace named "format:" so you can do:
<h1 tal:content=
However, the FormatTalesAPI class on that page, besides providing custom methods for the namespace, also has a method named "setEngine". This method is exposed in the TALES namespace, making it potentially possible to do:
<h1 tal:content=
Although this fails due to the need for an argument, there may be a way to forge one that I'm unaware of. The setEngine() method is particularly dangerous because it returns a locale object that has had its security proxy removed, making a non-wrapped object accessible from TAL.
I just wanted to bring this to the attention of those smarter than me, so they could evaluate whether the extra argument requirement of setEngine() is a sufficient security obstacle to abuse or not.
Changes: submitter email, importance (medium => critical), classification (issue => bug), new comment
We should really look at this.
The following expression works from a ZPT page:
tal:content= "python: path('nocall: context/ zope:__ class__ ').__bases_ _[0].__ subclasses_ _">
However, we are lucky and this does not work: "python: path('nocall: context/ zope:__ class__ ').__bases_ _[0]">
tal:content=
Do we really want that one can traversal adapters without restrictions?
I'd suspect this to be a bug. I didn't try superhard to find an
exploit for this, but you never know ...