[Zope-dev] Re: Unsecure design of ExternalFile

sean.upton@uniontrib.com sean.upton@uniontrib.com
Thu, 07 Nov 2002 09:40:20 -0800


I'm not familiar with ExternalFile, but likely plan to use it in the future.
I think a list of expressly permitted directory locations (including all
subdirectories) might be more secure.  You can't go wrong with a default
directory for files (perhaps $INSTANCE_HOME/var/files or something?), but
otherwise an implicit deny all - then leave it up to the user to edit some
access list file in the product (for example, call it 'diraccess.txt').
Does this seem reasonable?

Sean

-----Original Message-----
From: Craeg K Strong [mailto:cstrong@arielpartners.com]
Sent: Thursday, November 07, 2002 8:25 AM
To: Jonagustine Lim
Cc: support@arielpartners.com; zope-dev@zope.org
Subject: [Zope-dev] Re: Unsecure design of ExternalFile


Yikes!  Scary stuff.

However, here are some things to consider:

a) ExternalFile advertises itself as being a developers/
content authors tool, not really for production.
Of course, most folks end up using it for production,
anyway... ;-)

b) Once created, an ExternalFile cannot be retargetted
to point to another file in the file system

c) The permission to create an ExternalFile instance is
different than the permission to edit one.  The permission to
create an ExternalFile instance should be assigned
judiciously...

d) the Zope server should be run as a user that has very
limited permissions.

e) Even if a user *does* have permission to edit
an ExternalFile, they only have whatever permission the
user running the Zope server has.  If the Zope user
(usually "webserver" or something like that) does not
have permission to write to /etc/passwd, it doesn't matter
if you create an ExternalFile pointing to it, you still
can't write to it...

However, the points you raise are valid, as they are
Zope-specific, and the zope user "webserver" *would*
probably have permission to do your (1) and (2) examples.

What would you recommend?  Perhaps there should be
a predefined list of "forbidden" directories for ExternalFiles?
The problem is that-- in the development scenario-- the
very things you mention below might be what you
legitimately *want* to do as a developer.

Well, thanks for pointing this out.  Let's continue
the conversation a bit, perhaps a good solution will
reveal itself (even if it is only some kind of warning
in the documentation...)

Regards,

--Craeg

PS I am CC-ing the zope-dev mailing list, as I think this
warrants a wider audience

Jonagustine Lim wrote:
> Hi!
> 
> I just noticed that it's possible to create or replace
> any files in the filesystem using the ZMI with
> ExternalFile installed.
> 
> Possible exploits:
> 
> 1. Use ExternalFile web interface to replace Zope
> Data.fs
> 
> 2. Create a .py file in /Zope/Extensions and run it by
> creating an Extenal Method.
> 
> Anyway, I hope you can fix this or put a warning up.
> 
> Jon
> 


_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )