[Zope-dev] [zope2] Help needed with security checks and add views

[Hanno Schlichting]

Hi.

As a reminder: If nobody is able to help with this, I'll disable the
insecure view registration in Zope2 and release new versions Tuesday
13th.

>From my understanding of the code, Zope 2 itself is not vulnerable, as
there's no registrations for IFactory utilities included. But in any
system that has such registrations, anonymous users should be able to
create any such content item in any location.

Hanno

On Sat, Jun 26, 2010 at 6:24 PM, Hanno Schlichting <hanno at hannosch.eu> wrote:
> recently MJ opened a security related bug and disclosed it to the
> public at https://bugs.launchpad.net/zope2/+bug/578326.
>
> In short Zope 2 never supported the permission attribute on ZCML
> browser:view declarations. It seems some people might have specified
> this attribute and assumed it would do something.
>
> I have added a warning message to Zope 2 (trunk + 2.12 branch) which
> warns about those cases. This is similar to how we handle other such
> cases like the unsupported <require set_schema=".." /> and <require
> set_attributes="..." /> on class directives.
>
> But it turns out that Zope 2 itself is using this in one place, that
> looks like it ought to have a security declaration. The
> Products.Five.adding.ContentAdding class registered as an add view
> ("+") has no working security declarations I can see, and only has
> such a non-functioning permission="zope2.ViewManagementScreens" set.
> I'm not familiar enough with the add view concept to understand what
> this is doing. It also looks like both CMF and Plone use similar
> registrations for their add views.
>
> Ideally I'd love to add support for the permission attribute, as
> clearly people have been using it. But if there's nobody who can
> figure out how to do that, I'd at least like to clarify the add view
> case.