[Zope] Security?

Mon Dec 1 16:12:39 EST 2003

These Unauthorized errors (login boxes) are caused by trying to access objects from untrusted code that do not have any Zope security assertions on them.

TTW code (Python Scripts, DTML and Page Templates), including skins on the file system exposed through FS directory views, are untrusted code. They execute using a restricted Python interpreter which prevents access to arbitrary Python objects and modules that might represent a security hole (and allow you to compromise the server).

There are two solutions to your problem:

1. Use trusted code, which includes external methods and zope product modules and have them return simple types (strings, ints, etc) or simple containers (lists, dicts, tuples) containing simple types up to the template that is renderign the page. Simple types are deemed safe for untrusted code by default (along with some others, like DateTime objects).

2. Put security assertions on the objects used by untrusted code. This usually requires you to subclass the objects, but not always. See the Zope developers guide for details.

In most cases #1 is sufficient unless there are many places where it is desireable for untrusted code to have access to the objects directly in which case use #2.

hth,

-Casey

On Mon, 1 Dec 2003 13:45:01 -0700
"Goldthwaite, Joe" <joe at goldthwaites.com> wrote:

> Well, I don't know if it's progress but I think my questions are getting
> more specific.
> 
> I downloaded the mx.ODBC routines for Python 2.1.3.  I can now start the
> python interpreter in the WebSite\bin directory and type "import mx.ODBC"
> without getting an error.
> 
> I next tried to create a limited python script;
> 
> from Products.EIS import ISLines
> c = ISLines()
> return "c"
> 
> I'm just returning the literal "c" on purpose because my page template can't
> handle the ISLines yet.  In my Income Statement ZPT I have this line;
> 
> <p tal:replace="python:here.IncomeStatementScript()"></p>
> 
> When I try to display the ZPT, I get the Zope logon dialog box.  I only have
> one login and it doesn't' work so I just hit cancel and get "Your are not
> allowed to access EIS in this context".  (I had placed the ISLines.py file
> in my Products/EIS directory.)
> 
> After that, I decided to try external modules.  I added this wrapper
> function to my ISLines.py module;
> 
> def GetISLines():
>    c = ISLines()
>    return "c"
> 
> Again, I put the literal "c" there to make sure I was calling things
> correctly.  I moved the ISLines.py file to the Extensions directory and
> created a GetISLines external method referencing the new function in Zope
> root folder.   I tested it and got the "c" back.  Next, I put this line in
> my IncomeStatment ZPT;
> 
> <p tal:replace="python:here.GetISLines()"></p>
> 
> When I test it, I get the "c" back.  Interestingly, there was also pause of
> about the amount of time it takes to run ISLines and build the Income
> Statement lines.  I thought I was almost there.  The next step was to return
> the actual object and print out the number of lines returned.  I modified
> the 'return "c"' line to 'return c'.  Now when I run it, I get "<? ISLines
> instance at 014879EC>" so I know I'm now returning my object.  Finally I try
> to reference my list if lines by printing the length like this;
> 
> <p tal:replace="python:len(here.GetISLines().DefLines)"></p>
> 
> Deflines is a list of income statement line objects. I go to refresh and I
> get the Logon dialog again!  #$%@ &@#% &^@$!!!!  Sorry, I don't usually use
> that kind of language but I seem to be shooting at the wrong target. It's no
> wonder I can't hit anything.
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )