You are not logged in Log in Join
You are here: Home » Download Zope Products » Zope » Hotfix_2000-10-11 » Zope hotfix: ObjectManager subscripting

Log in
Name

Password

 

Zope hotfix: ObjectManager subscripting

This hotfix addresses an important security issue that affects Zope versions up to and including Zope 2.2.2.

The issue involves the fact that the subscript notation that can be used to access items of ObjectManagers (Folders) did not correctly restrict return values to only actual sub items. This made it possible to access names that should be private from DTML (objects with names beginning with the underscore _ character). This could allow DTML authors to see private implementation data structures and in certain cases possibly call methods that they shouldn't have access to from DTML.

While we know of no instances of this issue being used to exploit a site, we recommend that any Zope 2.2.x site that allows DTML to be edited by untrusted users apply this Hotfix.

README

http://www.zope.org/Products/Zope/Hotfix_2000-10-11/Hotfix_2000-10-11.tgz

The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading.