Zope 3

Possible Security Exposure re TALES Namespaces

Bug #98323 reported by Jeff Rush
254
Affects Status Importance Assigned to Milestone
Zope 3
Fix Released
Medium
Christian Theune
Zope 3 3.3

Bug Description

On page# 329 of Stephan's _Zope Developers Handbook_, an example is given of how to implement a new TALES namespace named "format:" so you can do:

   <h1 tal:content="context/zope:modified/format:fullDateTime">

However, the FormatTalesAPI class on that page, besides providing custom methods for the namespace, also has a method named "setEngine". This method is exposed in the TALES namespace, making it potentially possible to do:

   <h1 tal:content="context/zope:modified/format:setEngine">

Although this fails due to the need for an argument, there may be a way to forge one that I'm unaware of. The setEngine() method is particularly dangerous because it returns a locale object that has had its security proxy removed, making a non-wrapped object accessible from TAL.

I just wanted to bring this to the attention of those smarter than me, so they could evaluate whether the extra argument requirement of setEngine() is a sufficient security obstacle to abuse or not.

Tags: bug security
Revision history for this message
Christian Theune (ctheune) wrote :

Changes: submitter email, importance (medium => critical), classification (issue => bug), new comment

We should really look at this.

The following expression works from a ZPT page:

tal:content="python:path('nocall:context/zope:__class__').__bases__[0].__subclasses__">

However, we are lucky and this does not work:
tal:content="python:path('nocall:context/zope:__class__').__bases__[0]">

Do we really want that one can traversal adapters without restrictions?

I'd suspect this to be a bug. I didn't try superhard to find an
exploit for this, but you never know ...

Revision history for this message
Christian Theune (ctheune) wrote :

Status: Pending => Accepted

 Supporters added: ctheune

Looking into it to fix it.

Revision history for this message
Christian Theune (ctheune) wrote :

I have a fix prepared for this. I thought about the issue a while and discussed this with Jim:

- We don't have to make this confidential (unhiding it now)

- It's security-related, but nothing that can be exploited. It therefore does neither justify an immediate bugfix releases nor an advisory.

The fix will go into Zope 3.3 and the trunk in a few minutes.

Revision history for this message
Jim Fulton (jim-zope) wrote :

Changes: edited transcript, importance (critical => 3.3 Release)

Revision history for this message
Christian Theune (ctheune) wrote :

Status: Accepted => Resolved

Fixed on Zope 3.3 and trunk branches.

Revision history for this message
Philipp von Weitershausen (philikon) wrote :

I dodn't see a fix on the 3.3 branch yet, just the trunk...

Revision history for this message
Christian Theune (ctheune) wrote :

You're right. I was interrupted while checking in and forgot to check. It's in there now.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.