Zope 2

TALES: Non-simple path expressions may be evaluated in a string expression

Bug #1002242 reported by Richard Mitchell
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zope 2
Fix Released
Undecided
Hanno Schlichting
Zope 2 2.13.14
zope.tales
Fix Released
Undecided
Tres Seaver

Bug Description

Prudently, TALES string expressions attempt to prevent use of non-simple path expressions in their interpolated expressions. The regular expression used to detect this is flawed, and non-simple path expressions may be inserted simply by prefixing the path with a subpath which evaluates to False or raises an exception. For example:

string:foo ${python:bar} baz

would raise a compiler error;

string:foo ${nothing/nothing|python:bar} baz

would not, but would yield the same expected result.

The definition of the _interp regular expression in zope.tales.expressions could be improved like so to prevent this:

_interp = re.compile(r'\$(%(n)s)|\${(%(n)s(?:/[^}|]*)*(?:\|%(n)s(?:/[^}|]*)*)*)}' % {'n': NAME_RE})

>>> _interp.findall('$spam ham ${eggs} ${foo/bar} ${waldo/plugh|corge} ${python:qux} ${xyzzy|python:quux} ${fred/thud|python:grault|not:garply}')
[('spam', ''), ('', 'eggs'), ('', 'foo/bar'), ('', 'waldo/plugh|corge')]

Not sure if this is strictly a security bug, but reporting it as one just in case.

Revision history for this message
Tres Seaver (tseaver) wrote :

Thanks for the report: I wouldn't class it as a security vulnerability, but
merely a failure to enforce the TALES spec:

 http://wiki.zope.org/ZPT/TALESSpecification13

Changed in zope.tales:
assignee: nobody → Tres Seaver (tseaver)
status: New → Confirmed
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Tres Seaver (tseaver) wrote :

Now fixed in version 3.5.2:

 http://pypi.python.org/pypi/zope.tales/3.5.2

A Zope 2.12-compatible 3.4.1 release is also available:

 http://pypi.python.org/pypi/zope.tales/3.4.1

Changed in zope.tales:
status: Confirmed → Fix Released
Hanno Schlichting (hannosch)
Changed in zope2:
status: New → Confirmed
assignee: nobody → Hanno Schlichting (hannosch)
Hanno Schlichting (hannosch)
Changed in zope2:
milestone: none → 2.13.14
Revision history for this message
Richard Mitchell (mitchellrj) wrote :

It may be worth mentioning to the Plone framework team that this fix breaks some standard Plone pages, for example the folder listing page.

Hanno Schlichting (hannosch)
Changed in zope2:
status: Confirmed → Fix Released
Revision history for this message
Ian Livingstone (6-contactme-l) wrote :

I've just installed the fixed version of zope.tales 3.5.2 from (http://pypi.python.org/pypi/zope.tales) but I still get a 'Compilation Failed' error when attempting to save the following :

<p tal:content="string:this template (${container/getId}) should compile even though this next expression is ${here/erroneous | string:correct}"/>

To get the template to compile I would have to change that to read :

<p tal:define="c1 container/getId; c2 here/erroneous | string:correct;" tal:content="string:this template :($c1) should compile even though this next expression is $c2"/>

However, I would really love to not have to go through ALL of my templates to rewrite these tales definitions and expressions so if anyone has found a fix to this problem (and can explain how to implement it) that would be amazing!

Revision history for this message
Richard Mitchell (mitchellrj) wrote :

I'm afraid that this behaviour is as it should be.

It's possible that conversion of your current templates with the changes you suggest could be scripted.

Revision history for this message
Ian Livingstone (6-contactme-l) wrote :

This syntax didn't cause compilation errors (and worked perfectly well) in the previous versions of zope that I've used running up to zope 2.13.10.

It's also how it's documented in wiki.zope.org ; e.g. in their example you're shown the correct syntax should be as follows :
<a tal:attributes="href string:${context/absolute_url}/foo"> Foo </a>

as taken from :
http://wiki.zope.org/zope2/PageTemplateStyleGuide

Revision history for this message
Richard Mitchell (mitchellrj) wrote :

Hi Ian,

This was broken in previous versions of Zope. The documentation at http://wiki.zope.org/ZPT/TALESSpecification13 and indeed the comments in the code clearly show that string expressions should not contain any subexpressions, other than simple paths.

The wiki page you point to does show the correct syntax. The issue here is that one cannot use a "string:" subexpression within a string.

${context/absolute_url} is fine.
${context/absolute_url|string:foo} is not.

I hope this clears up any confusion.

Revision history for this message
Ian Livingstone (6-contactme-l) wrote :

Ah... I see now. Thanks for clearing that up for me - much appreciated...
(although its going to be extremely frustrating to have to back track through all my templates to tweak the syntax).

Hanno Schlichting (hannosch)
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.