Loading ...
Sorry, an error occurred while loading the content.

Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

Expand Messages
  • Tavis Rudd
    I m going to remove the temp files completely this week. It s been a high priority item on the TODO list for a long time now. Tavis ... This SF.Net email is
    Message 1 of 26 , Apr 19, 2005
    • 0 Attachment
      I'm going to remove the temp files completely this week. It's been a high
      priority item on the TODO list for a long time now.
      Tavis
      On Tuesday 19 April 2005 09:49, Scott Sanders wrote:
      > I would say the real solution is not to use tmp files at all, since
      > there has been suggested a way to do without it.
      >
      > Scott
      >
      > On Apr 19, 2005, at 8:51 AM, Ian Bicking wrote:
      > > Brian Bird wrote:
      > >> As a short-term workaround, is there any way to change the directory
      > >> which
      > >> Cheetah uses for temporary files?
      > >> If this can be done I can restrict who has access to that directory to
      > >> reduce the chance of someone putting a broken module there.
      > >> If there's no configuration option for this can someone point me in
      > >> the
      > >> right direction for which source files to look at so I can change it?
      > >> This
      > >> is quite important for our project since security is high on the list.
      > >
      > > A configurable temporary directory would help, I'd think, and if you
      > > want to ensure security you could give an error message if the
      > > permissions aren't correct. Would it also be possible to use tmpfile
      > > (http://python.org/doc/current/lib/os-newstreams.html) -- it's secure
      > > and I believe you just have to hand an open file object to the import
      > > routines, so this won't allow multiple-process caching of the compiled
      > > code, but it does allow in-process caching. Though... is there any
      > > benefit to in-process caching?
      > >
      > > --
      > > Ian Bicking / ianb@... / http://blog.ianbicking.org
      > >
      > >
      > > -------------------------------------------------------
      > > This SF.Net email is sponsored by: New Crystal Reports XI.
      > > Version 11 adds new functionality designed to reduce time involved in
      > > creating, integrating, and deploying reporting solutions. Free runtime
      > > info,
      > > new features, or free trial, at:
      > > http://www.businessobjects.com/devxi/728
      > > _______________________________________________
      > > Cheetahtemplate-discuss mailing list
      > > Cheetahtemplate-discuss@...
      > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
      >
      > -------------------------------------------------------
      > This SF.Net email is sponsored by: New Crystal Reports XI.
      > Version 11 adds new functionality designed to reduce time involved in
      > creating, integrating, and deploying reporting solutions. Free runtime
      > info, new features, or free trial, at:
      > http://www.businessobjects.com/devxi/728
      > _______________________________________________
      > Cheetahtemplate-discuss mailing list
      > Cheetahtemplate-discuss@...
      > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss


      -------------------------------------------------------
      This SF.Net email is sponsored by: New Crystal Reports XI.
      Version 11 adds new functionality designed to reduce time involved in
      creating, integrating, and deploying reporting solutions. Free runtime info,
      new features, or free trial, at: http://www.businessobjects.com/devxi/728
      _______________________________________________
      Cheetahtemplate-discuss mailing list
      Cheetahtemplate-discuss@...
      https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
    • Tavis Rudd
      Done in the cvs. If people can give the new approach a test and report back, I ll cut a release within the week. ... This SF.Net email is sponsored by: New
      Message 2 of 26 , Apr 20, 2005
      • 0 Attachment
        Done in the cvs. If people can give the new approach a test and report back,
        I'll cut a release within the week.

        On Tuesday 19 April 2005 16:34, Tavis Rudd wrote:
        > I'm going to remove the temp files completely this week. It's been a high
        > priority item on the TODO list for a long time now.
        > Tavis
        >
        > On Tuesday 19 April 2005 09:49, Scott Sanders wrote:
        > > I would say the real solution is not to use tmp files at all, since
        > > there has been suggested a way to do without it.
        > >
        > > Scott
        > >
        > > On Apr 19, 2005, at 8:51 AM, Ian Bicking wrote:
        > > > Brian Bird wrote:
        > > >> As a short-term workaround, is there any way to change the directory
        > > >> which
        > > >> Cheetah uses for temporary files?
        > > >> If this can be done I can restrict who has access to that directory to
        > > >> reduce the chance of someone putting a broken module there.
        > > >> If there's no configuration option for this can someone point me in
        > > >> the
        > > >> right direction for which source files to look at so I can change it?
        > > >> This
        > > >> is quite important for our project since security is high on the list.
        > > >
        > > > A configurable temporary directory would help, I'd think, and if you
        > > > want to ensure security you could give an error message if the
        > > > permissions aren't correct. Would it also be possible to use tmpfile
        > > > (http://python.org/doc/current/lib/os-newstreams.html) -- it's secure
        > > > and I believe you just have to hand an open file object to the import
        > > > routines, so this won't allow multiple-process caching of the compiled
        > > > code, but it does allow in-process caching. Though... is there any
        > > > benefit to in-process caching?
        > > >
        > > > --
        > > > Ian Bicking / ianb@... / http://blog.ianbicking.org
        > > >
        > > >
        > > > -------------------------------------------------------
        > > > This SF.Net email is sponsored by: New Crystal Reports XI.
        > > > Version 11 adds new functionality designed to reduce time involved in
        > > > creating, integrating, and deploying reporting solutions. Free runtime
        > > > info,
        > > > new features, or free trial, at:
        > > > http://www.businessobjects.com/devxi/728
        > > > _______________________________________________
        > > > Cheetahtemplate-discuss mailing list
        > > > Cheetahtemplate-discuss@...
        > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
        > >
        > > -------------------------------------------------------
        > > This SF.Net email is sponsored by: New Crystal Reports XI.
        > > Version 11 adds new functionality designed to reduce time involved in
        > > creating, integrating, and deploying reporting solutions. Free runtime
        > > info, new features, or free trial, at:
        > > http://www.businessobjects.com/devxi/728
        > > _______________________________________________
        > > Cheetahtemplate-discuss mailing list
        > > Cheetahtemplate-discuss@...
        > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
        >
        > -------------------------------------------------------
        > This SF.Net email is sponsored by: New Crystal Reports XI.
        > Version 11 adds new functionality designed to reduce time involved in
        > creating, integrating, and deploying reporting solutions. Free runtime
        > info, new features, or free trial, at:
        > http://www.businessobjects.com/devxi/728
        > _______________________________________________
        > Cheetahtemplate-discuss mailing list
        > Cheetahtemplate-discuss@...
        > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss


        -------------------------------------------------------
        This SF.Net email is sponsored by: New Crystal Reports XI.
        Version 11 adds new functionality designed to reduce time involved in
        creating, integrating, and deploying reporting solutions. Free runtime info,
        new features, or free trial, at: http://www.businessobjects.com/devxi/728
        _______________________________________________
        Cheetahtemplate-discuss mailing list
        Cheetahtemplate-discuss@...
        https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
      • Brian Bird
        That s great. I ve done a very quick test and it seems ok, but I hope to try it out properly on Monday ... From: Tavis Rudd [mailto:tavis@redonions.net] Sent:
        Message 3 of 26 , Apr 22, 2005
        • 0 Attachment
          That's great. I've done a very quick test and it seems ok, but I hope to try
          it out properly on Monday

          -----Original Message-----
          From: Tavis Rudd [mailto:tavis@...]
          Sent: 21 April 2005 03:02
          To: cheetahtemplate-discuss@...
          Cc: Scott Sanders; Ian Bicking; Brian Bird
          Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

          Done in the cvs. If people can give the new approach a test and report
          back, I'll cut a release within the week.

          On Tuesday 19 April 2005 16:34, Tavis Rudd wrote:
          > I'm going to remove the temp files completely this week. It's been a
          > high priority item on the TODO list for a long time now.
          > Tavis
          >
          > On Tuesday 19 April 2005 09:49, Scott Sanders wrote:
          > > I would say the real solution is not to use tmp files at all, since
          > > there has been suggested a way to do without it.
          > >
          > > Scott
          > >
          > > On Apr 19, 2005, at 8:51 AM, Ian Bicking wrote:
          > > > Brian Bird wrote:
          > > >> As a short-term workaround, is there any way to change the
          > > >> directory which Cheetah uses for temporary files?
          > > >> If this can be done I can restrict who has access to that
          > > >> directory to reduce the chance of someone putting a broken module
          there.
          > > >> If there's no configuration option for this can someone point me
          > > >> in the right direction for which source files to look at so I can
          > > >> change it?
          > > >> This
          > > >> is quite important for our project since security is high on the
          list.
          > > >
          > > > A configurable temporary directory would help, I'd think, and if
          > > > you want to ensure security you could give an error message if the
          > > > permissions aren't correct. Would it also be possible to use
          > > > tmpfile
          > > > (http://python.org/doc/current/lib/os-newstreams.html) -- it's
          > > > secure and I believe you just have to hand an open file object to
          > > > the import routines, so this won't allow multiple-process caching
          > > > of the compiled code, but it does allow in-process caching.
          > > > Though... is there any benefit to in-process caching?
          > > >
          > > > --
          > > > Ian Bicking / ianb@... / http://blog.ianbicking.org
          > > >
          > > >
          > > > -------------------------------------------------------
          > > > This SF.Net email is sponsored by: New Crystal Reports XI.
          > > > Version 11 adds new functionality designed to reduce time involved
          > > > in creating, integrating, and deploying reporting solutions. Free
          > > > runtime info, new features, or free trial, at:
          > > > http://www.businessobjects.com/devxi/728
          > > > _______________________________________________
          > > > Cheetahtemplate-discuss mailing list
          > > > Cheetahtemplate-discuss@...
          > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discu
          > > > ss
          > >
          > > -------------------------------------------------------
          > > This SF.Net email is sponsored by: New Crystal Reports XI.
          > > Version 11 adds new functionality designed to reduce time involved
          > > in creating, integrating, and deploying reporting solutions. Free
          > > runtime info, new features, or free trial, at:
          > > http://www.businessobjects.com/devxi/728
          > > _______________________________________________
          > > Cheetahtemplate-discuss mailing list
          > > Cheetahtemplate-discuss@...
          > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
          >
          > -------------------------------------------------------
          > This SF.Net email is sponsored by: New Crystal Reports XI.
          > Version 11 adds new functionality designed to reduce time involved in
          > creating, integrating, and deploying reporting solutions. Free runtime
          > info, new features, or free trial, at:
          > http://www.businessobjects.com/devxi/728
          > _______________________________________________
          > Cheetahtemplate-discuss mailing list
          > Cheetahtemplate-discuss@...
          > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss



          -------------------------------------------------------
          SF email is sponsored by - The IT Product Guide
          Read honest & candid reviews on hundreds of IT Products from real users.
          Discover which products truly live up to the hype. Start reading now.
          http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
          _______________________________________________
          Cheetahtemplate-discuss mailing list
          Cheetahtemplate-discuss@...
          https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
        • Brian Bird
          I ve done some more testing and the latest svn version seems to fix the original security problem. However, our system uses Cheetah 0.9.15, but it does not
          Message 4 of 26 , Apr 25, 2005
          • 0 Attachment
            I've done some more testing and the latest svn version seems to fix the
            original security problem. However, our system uses Cheetah 0.9.15, but it
            does not work with 0.9.16 or this latest code. It seems to be because of the
            following:

            from Cheetah import Template
            source="""#errorCatcher Echo
            $test
            """
            print Template.Template(source)

            #0.9.15 works as documented ($test is printed out)
            #0.9.16 raises _HighLevelParser instance has no attribute
            'turnErrorCatcherOn' in Parser.py


            Similarly:

            from Cheetah import Template
            from Cheetah.ErrorCatchers import *
            source="""
            $test
            """
            print Template.Template(source,errorCatcher=Echo)

            #all versions raise AttributeError: class ErrorCatcher has no attribute
            '__class__'

            This looks like a bug unless I'm doing something wrong.
            Unless this has been caused by the security fix, perhaps I should start a
            new thread? But we won't be able to use the new version without this feature
            (we use the errorCatcher to set any NotFound variable to "", and using the
            contributed RecursiveNull didn't seem to work)

            Any ideas?

            Brian

            -----Original Message-----
            From: Tavis Rudd [mailto:tavis@...]
            Sent: 21 April 2005 03:02
            To: cheetahtemplate-discuss@...
            Cc: Scott Sanders; Ian Bicking; Brian Bird
            Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

            Done in the cvs. If people can give the new approach a test and report
            back, I'll cut a release within the week.

            On Tuesday 19 April 2005 16:34, Tavis Rudd wrote:
            > I'm going to remove the temp files completely this week. It's been a
            > high priority item on the TODO list for a long time now.
            > Tavis
            >
            > On Tuesday 19 April 2005 09:49, Scott Sanders wrote:
            > > I would say the real solution is not to use tmp files at all, since
            > > there has been suggested a way to do without it.
            > >
            > > Scott
            > >
            > > On Apr 19, 2005, at 8:51 AM, Ian Bicking wrote:
            > > > Brian Bird wrote:
            > > >> As a short-term workaround, is there any way to change the
            > > >> directory which Cheetah uses for temporary files?
            > > >> If this can be done I can restrict who has access to that
            > > >> directory to reduce the chance of someone putting a broken module
            there.
            > > >> If there's no configuration option for this can someone point me
            > > >> in the right direction for which source files to look at so I can
            > > >> change it?
            > > >> This
            > > >> is quite important for our project since security is high on the
            list.
            > > >
            > > > A configurable temporary directory would help, I'd think, and if
            > > > you want to ensure security you could give an error message if the
            > > > permissions aren't correct. Would it also be possible to use
            > > > tmpfile
            > > > (http://python.org/doc/current/lib/os-newstreams.html) -- it's
            > > > secure and I believe you just have to hand an open file object to
            > > > the import routines, so this won't allow multiple-process caching
            > > > of the compiled code, but it does allow in-process caching.
            > > > Though... is there any benefit to in-process caching?
            > > >
            > > > --
            > > > Ian Bicking / ianb@... / http://blog.ianbicking.org
            > > >
            > > >
            > > > -------------------------------------------------------
            > > > This SF.Net email is sponsored by: New Crystal Reports XI.
            > > > Version 11 adds new functionality designed to reduce time involved
            > > > in creating, integrating, and deploying reporting solutions. Free
            > > > runtime info, new features, or free trial, at:
            > > > http://www.businessobjects.com/devxi/728
            > > > _______________________________________________
            > > > Cheetahtemplate-discuss mailing list
            > > > Cheetahtemplate-discuss@...
            > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discu
            > > > ss
            > >
            > > -------------------------------------------------------
            > > This SF.Net email is sponsored by: New Crystal Reports XI.
            > > Version 11 adds new functionality designed to reduce time involved
            > > in creating, integrating, and deploying reporting solutions. Free
            > > runtime info, new features, or free trial, at:
            > > http://www.businessobjects.com/devxi/728
            > > _______________________________________________
            > > Cheetahtemplate-discuss mailing list
            > > Cheetahtemplate-discuss@...
            > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
            >
            > -------------------------------------------------------
            > This SF.Net email is sponsored by: New Crystal Reports XI.
            > Version 11 adds new functionality designed to reduce time involved in
            > creating, integrating, and deploying reporting solutions. Free runtime
            > info, new features, or free trial, at:
            > http://www.businessobjects.com/devxi/728
            > _______________________________________________
            > Cheetahtemplate-discuss mailing list
            > Cheetahtemplate-discuss@...
            > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss



            -------------------------------------------------------
            SF email is sponsored by - The IT Product Guide
            Read honest & candid reviews on hundreds of IT Products from real users.
            Discover which products truly live up to the hype. Start reading now.
            http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
            _______________________________________________
            Cheetahtemplate-discuss mailing list
            Cheetahtemplate-discuss@...
            https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
          • Tavis Rudd
            That s both a bug and a gap in our unit tests. I ll fix it up for tomorrow. On a side-note, I ve never once used errorCatcher. Do many people here use it? ...
            Message 5 of 26 , Apr 25, 2005
            • 0 Attachment
              That's both a bug and a gap in our unit tests.
              I'll fix it up for tomorrow.

              On a side-note, I've never once used errorCatcher. Do many people here use
              it?

              On Monday 25 April 2005 02:17, Brian Bird wrote:
              > I've done some more testing and the latest svn version seems to fix the
              > original security problem. However, our system uses Cheetah 0.9.15, but it
              > does not work with 0.9.16 or this latest code. It seems to be because of
              > the following:
              >
              > from Cheetah import Template
              > source="""#errorCatcher Echo
              > $test
              > """
              > print Template.Template(source)
              >
              > #0.9.15 works as documented ($test is printed out)
              > #0.9.16 raises _HighLevelParser instance has no attribute
              > 'turnErrorCatcherOn' in Parser.py
              >
              >
              > Similarly:
              >
              > from Cheetah import Template
              > from Cheetah.ErrorCatchers import *
              > source="""
              > $test
              > """
              > print Template.Template(source,errorCatcher=Echo)
              >
              > #all versions raise AttributeError: class ErrorCatcher has no attribute
              > '__class__'
              >
              > This looks like a bug unless I'm doing something wrong.
              > Unless this has been caused by the security fix, perhaps I should start a
              > new thread? But we won't be able to use the new version without this
              > feature (we use the errorCatcher to set any NotFound variable to "", and
              > using the contributed RecursiveNull didn't seem to work)
              >
              > Any ideas?
              >
              > Brian
              >
              > -----Original Message-----
              > From: Tavis Rudd [mailto:tavis@...]
              > Sent: 21 April 2005 03:02
              > To: cheetahtemplate-discuss@...
              > Cc: Scott Sanders; Ian Bicking; Brian Bird
              > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
              >
              > Done in the cvs. If people can give the new approach a test and report
              > back, I'll cut a release within the week.
              >
              > On Tuesday 19 April 2005 16:34, Tavis Rudd wrote:
              > > I'm going to remove the temp files completely this week. It's been a
              > > high priority item on the TODO list for a long time now.
              > > Tavis
              > >
              > > On Tuesday 19 April 2005 09:49, Scott Sanders wrote:
              > > > I would say the real solution is not to use tmp files at all, since
              > > > there has been suggested a way to do without it.
              > > >
              > > > Scott
              > > >
              > > > On Apr 19, 2005, at 8:51 AM, Ian Bicking wrote:
              > > > > Brian Bird wrote:
              > > > >> As a short-term workaround, is there any way to change the
              > > > >> directory which Cheetah uses for temporary files?
              > > > >> If this can be done I can restrict who has access to that
              > > > >> directory to reduce the chance of someone putting a broken module
              >
              > there.
              >
              > > > >> If there's no configuration option for this can someone point me
              > > > >> in the right direction for which source files to look at so I can
              > > > >> change it?
              > > > >> This
              > > > >> is quite important for our project since security is high on the
              >
              > list.
              >
              > > > > A configurable temporary directory would help, I'd think, and if
              > > > > you want to ensure security you could give an error message if the
              > > > > permissions aren't correct. Would it also be possible to use
              > > > > tmpfile
              > > > > (http://python.org/doc/current/lib/os-newstreams.html) -- it's
              > > > > secure and I believe you just have to hand an open file object to
              > > > > the import routines, so this won't allow multiple-process caching
              > > > > of the compiled code, but it does allow in-process caching.
              > > > > Though... is there any benefit to in-process caching?
              > > > >
              > > > > --
              > > > > Ian Bicking / ianb@... / http://blog.ianbicking.org
              > > > >
              > > > >
              > > > > -------------------------------------------------------
              > > > > This SF.Net email is sponsored by: New Crystal Reports XI.
              > > > > Version 11 adds new functionality designed to reduce time involved
              > > > > in creating, integrating, and deploying reporting solutions. Free
              > > > > runtime info, new features, or free trial, at:
              > > > > http://www.businessobjects.com/devxi/728
              > > > > _______________________________________________
              > > > > Cheetahtemplate-discuss mailing list
              > > > > Cheetahtemplate-discuss@...
              > > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discu
              > > > > ss
              > > >
              > > > -------------------------------------------------------
              > > > This SF.Net email is sponsored by: New Crystal Reports XI.
              > > > Version 11 adds new functionality designed to reduce time involved
              > > > in creating, integrating, and deploying reporting solutions. Free
              > > > runtime info, new features, or free trial, at:
              > > > http://www.businessobjects.com/devxi/728
              > > > _______________________________________________
              > > > Cheetahtemplate-discuss mailing list
              > > > Cheetahtemplate-discuss@...
              > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
              > >
              > > -------------------------------------------------------
              > > This SF.Net email is sponsored by: New Crystal Reports XI.
              > > Version 11 adds new functionality designed to reduce time involved in
              > > creating, integrating, and deploying reporting solutions. Free runtime
              > > info, new features, or free trial, at:
              > > http://www.businessobjects.com/devxi/728
              > > _______________________________________________
              > > Cheetahtemplate-discuss mailing list
              > > Cheetahtemplate-discuss@...
              > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
              >
              > -------------------------------------------------------
              > SF email is sponsored by - The IT Product Guide
              > Read honest & candid reviews on hundreds of IT Products from real users.
              > Discover which products truly live up to the hype. Start reading now.
              > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
              > _______________________________________________
              > Cheetahtemplate-discuss mailing list
              > Cheetahtemplate-discuss@...
              > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss


              -------------------------------------------------------
              SF email is sponsored by - The IT Product Guide
              Read honest & candid reviews on hundreds of IT Products from real users.
              Discover which products truly live up to the hype. Start reading now.
              http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
              _______________________________________________
              Cheetahtemplate-discuss mailing list
              Cheetahtemplate-discuss@...
              https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
            • Shannon -jj Behrens
              No one in the Aquarium world uses it, that I ve ever seen. ... -- I have decided to switch to Gmail, but messages to my Yahoo account will still get through.
              Message 6 of 26 , Apr 25, 2005
              • 0 Attachment
                No one in the Aquarium world uses it, that I've ever seen.

                On 4/25/05, Tavis Rudd <tavis@...> wrote:
                > That's both a bug and a gap in our unit tests.
                > I'll fix it up for tomorrow.
                >
                > On a side-note, I've never once used errorCatcher. Do many people here use
                > it?

                --
                I have decided to switch to Gmail, but messages to my Yahoo account will
                still get through.


                -------------------------------------------------------
                SF email is sponsored by - The IT Product Guide
                Read honest & candid reviews on hundreds of IT Products from real users.
                Discover which products truly live up to the hype. Start reading now.
                http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
                _______________________________________________
                Cheetahtemplate-discuss mailing list
                Cheetahtemplate-discuss@...
                https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
              • Brian Bird
                If nobody uses errorCatcher, perhaps there s a better way to achieve what I m trying to do? I want any $placeholder variable to be replaced by a blank string
                Message 7 of 26 , Apr 26, 2005
                • 0 Attachment
                  If nobody uses errorCatcher, perhaps there's a better way to achieve what
                  I'm trying to do?

                  I want any $placeholder variable to be replaced by a blank string if it
                  cannot be found in the namespaces, instead of raising a NotFound exception.
                  I've done some digging and the best suggestion seems to be to put something
                  like this as the last object in the searchList passed to the Template
                  constructor:

                  class catchall:
                  def __getitem__(self, key):
                  return ""

                  This works for any normal $placeholder, but it masks any #def functions
                  defined in the template.

                  It seems to be because Template.py appends "self" to the end of it's
                  searchList which means the catchall will be used before any definitions in
                  the template object.

                  Any suggestions?

                  Thanks,
                  Brian


                  -----Original Message-----
                  From: Shannon -jj Behrens [mailto:jjinux@...]
                  Sent: 25 April 2005 22:22
                  To: Tavis Rudd
                  Cc: cheetahtemplate-discuss@...; Brian Bird; Scott
                  Sanders; Ian Bicking
                  Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

                  No one in the Aquarium world uses it, that I've ever seen.

                  On 4/25/05, Tavis Rudd <tavis@...> wrote:
                  > That's both a bug and a gap in our unit tests.
                  > I'll fix it up for tomorrow.
                  >
                  > On a side-note, I've never once used errorCatcher. Do many people
                  > here use it?

                  --
                  I have decided to switch to Gmail, but messages to my Yahoo account will
                  still get through.



                  -------------------------------------------------------
                  SF email is sponsored by - The IT Product Guide
                  Read honest & candid reviews on hundreds of IT Products from real users.
                  Discover which products truly live up to the hype. Start reading now.
                  http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                  _______________________________________________
                  Cheetahtemplate-discuss mailing list
                  Cheetahtemplate-discuss@...
                  https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                • Tavis Rudd
                  This is fixed in the CVS now. That no-one reported this 4 month old bug till now is an indication of how frequently errorCatcher is used. ... SF.Net email is
                  Message 8 of 26 , Apr 26, 2005
                  • 0 Attachment
                    This is fixed in the CVS now. That no-one reported this 4 month old bug till
                    now is an indication of how frequently errorCatcher is used.

                    On Monday 25 April 2005 02:17, Brian Bird wrote:
                    > I've done some more testing and the latest svn version seems to fix the
                    > original security problem. However, our system uses Cheetah 0.9.15, but it
                    > does not work with 0.9.16 or this latest code. It seems to be because of
                    > the following:
                    >
                    > from Cheetah import Template
                    > source="""#errorCatcher Echo
                    > $test
                    > """
                    > print Template.Template(source)
                    >
                    > #0.9.15 works as documented ($test is printed out)
                    > #0.9.16 raises _HighLevelParser instance has no attribute
                    > 'turnErrorCatcherOn' in Parser.py
                    >
                    >
                    > Similarly:
                    >
                    > from Cheetah import Template
                    > from Cheetah.ErrorCatchers import *
                    > source="""
                    > $test
                    > """
                    > print Template.Template(source,errorCatcher=Echo)
                    >
                    > #all versions raise AttributeError: class ErrorCatcher has no attribute
                    > '__class__'
                    >
                    > This looks like a bug unless I'm doing something wrong.
                    > Unless this has been caused by the security fix, perhaps I should start a
                    > new thread? But we won't be able to use the new version without this
                    > feature (we use the errorCatcher to set any NotFound variable to "", and
                    > using the contributed RecursiveNull didn't seem to work)
                    >
                    > Any ideas?
                    >
                    > Brian
                    >
                    > -----Original Message-----
                    > From: Tavis Rudd [mailto:tavis@...]
                    > Sent: 21 April 2005 03:02
                    > To: cheetahtemplate-discuss@...
                    > Cc: Scott Sanders; Ian Bicking; Brian Bird
                    > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                    >
                    > Done in the cvs. If people can give the new approach a test and report
                    > back, I'll cut a release within the week.
                    >
                    > On Tuesday 19 April 2005 16:34, Tavis Rudd wrote:
                    > > I'm going to remove the temp files completely this week. It's been a
                    > > high priority item on the TODO list for a long time now.
                    > > Tavis
                    > >
                    > > On Tuesday 19 April 2005 09:49, Scott Sanders wrote:
                    > > > I would say the real solution is not to use tmp files at all, since
                    > > > there has been suggested a way to do without it.
                    > > >
                    > > > Scott
                    > > >
                    > > > On Apr 19, 2005, at 8:51 AM, Ian Bicking wrote:
                    > > > > Brian Bird wrote:
                    > > > >> As a short-term workaround, is there any way to change the
                    > > > >> directory which Cheetah uses for temporary files?
                    > > > >> If this can be done I can restrict who has access to that
                    > > > >> directory to reduce the chance of someone putting a broken module
                    >
                    > there.
                    >
                    > > > >> If there's no configuration option for this can someone point me
                    > > > >> in the right direction for which source files to look at so I can
                    > > > >> change it?
                    > > > >> This
                    > > > >> is quite important for our project since security is high on the
                    >
                    > list.
                    >
                    > > > > A configurable temporary directory would help, I'd think, and if
                    > > > > you want to ensure security you could give an error message if the
                    > > > > permissions aren't correct. Would it also be possible to use
                    > > > > tmpfile
                    > > > > (http://python.org/doc/current/lib/os-newstreams.html) -- it's
                    > > > > secure and I believe you just have to hand an open file object to
                    > > > > the import routines, so this won't allow multiple-process caching
                    > > > > of the compiled code, but it does allow in-process caching.
                    > > > > Though... is there any benefit to in-process caching?
                    > > > >
                    > > > > --
                    > > > > Ian Bicking / ianb@... / http://blog.ianbicking.org
                    > > > >
                    > > > >
                    > > > > -------------------------------------------------------
                    > > > > This SF.Net email is sponsored by: New Crystal Reports XI.
                    > > > > Version 11 adds new functionality designed to reduce time involved
                    > > > > in creating, integrating, and deploying reporting solutions. Free
                    > > > > runtime info, new features, or free trial, at:
                    > > > > http://www.businessobjects.com/devxi/728
                    > > > > _______________________________________________
                    > > > > Cheetahtemplate-discuss mailing list
                    > > > > Cheetahtemplate-discuss@...
                    > > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discu
                    > > > > ss
                    > > >
                    > > > -------------------------------------------------------
                    > > > This SF.Net email is sponsored by: New Crystal Reports XI.
                    > > > Version 11 adds new functionality designed to reduce time involved
                    > > > in creating, integrating, and deploying reporting solutions. Free
                    > > > runtime info, new features, or free trial, at:
                    > > > http://www.businessobjects.com/devxi/728
                    > > > _______________________________________________
                    > > > Cheetahtemplate-discuss mailing list
                    > > > Cheetahtemplate-discuss@...
                    > > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                    > >
                    > > -------------------------------------------------------
                    > > This SF.Net email is sponsored by: New Crystal Reports XI.
                    > > Version 11 adds new functionality designed to reduce time involved in
                    > > creating, integrating, and deploying reporting solutions. Free runtime
                    > > info, new features, or free trial, at:
                    > > http://www.businessobjects.com/devxi/728
                    > > _______________________________________________
                    > > Cheetahtemplate-discuss mailing list
                    > > Cheetahtemplate-discuss@...
                    > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                    >
                    > -------------------------------------------------------
                    > SF email is sponsored by - The IT Product Guide
                    > Read honest & candid reviews on hundreds of IT Products from real users.
                    > Discover which products truly live up to the hype. Start reading now.
                    > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                    > _______________________________________________
                    > Cheetahtemplate-discuss mailing list
                    > Cheetahtemplate-discuss@...
                    > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss


                    -------------------------------------------------------
                    SF.Net email is sponsored by: Tell us your software development plans!
                    Take this survey and enter to win a one-year sub to SourceForge.net
                    Plus IDC's 2005 look-ahead and a copy of this survey
                    Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                    _______________________________________________
                    Cheetahtemplate-discuss mailing list
                    Cheetahtemplate-discuss@...
                    https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                  • Tavis Rudd
                    ErrorCatcher is a debugging tool and was never meant for use in production systems. What would lead you to have NotFound errors in production? ... SF.Net
                    Message 9 of 26 , Apr 26, 2005
                    • 0 Attachment
                      ErrorCatcher is a debugging tool and was never meant for use in production
                      systems. What would lead you to have NotFound errors in production?

                      On Tuesday 26 April 2005 02:20, Brian Bird wrote:
                      > If nobody uses errorCatcher, perhaps there's a better way to achieve what
                      > I'm trying to do?
                      >
                      > I want any $placeholder variable to be replaced by a blank string if it
                      > cannot be found in the namespaces, instead of raising a NotFound exception.
                      > I've done some digging and the best suggestion seems to be to put something
                      > like this as the last object in the searchList passed to the Template
                      > constructor:
                      >
                      > class catchall:
                      > def __getitem__(self, key):
                      > return ""
                      >
                      > This works for any normal $placeholder, but it masks any #def functions
                      > defined in the template.
                      >
                      > It seems to be because Template.py appends "self" to the end of it's
                      > searchList which means the catchall will be used before any definitions in
                      > the template object.
                      >
                      > Any suggestions?
                      >
                      > Thanks,
                      > Brian
                      >
                      >
                      > -----Original Message-----
                      > From: Shannon -jj Behrens [mailto:jjinux@...]
                      > Sent: 25 April 2005 22:22
                      > To: Tavis Rudd
                      > Cc: cheetahtemplate-discuss@...; Brian Bird; Scott
                      > Sanders; Ian Bicking
                      > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                      >
                      > No one in the Aquarium world uses it, that I've ever seen.
                      >
                      > On 4/25/05, Tavis Rudd <tavis@...> wrote:
                      > > That's both a bug and a gap in our unit tests.
                      > > I'll fix it up for tomorrow.
                      > >
                      > > On a side-note, I've never once used errorCatcher. Do many people
                      > > here use it?
                      >
                      > --
                      > I have decided to switch to Gmail, but messages to my Yahoo account will
                      > still get through.
                      >
                      >
                      >
                      > -------------------------------------------------------
                      > SF email is sponsored by - The IT Product Guide
                      > Read honest & candid reviews on hundreds of IT Products from real users.
                      > Discover which products truly live up to the hype. Start reading now.
                      > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                      > _______________________________________________
                      > Cheetahtemplate-discuss mailing list
                      > Cheetahtemplate-discuss@...
                      > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss


                      -------------------------------------------------------
                      SF.Net email is sponsored by: Tell us your software development plans!
                      Take this survey and enter to win a one-year sub to SourceForge.net
                      Plus IDC's 2005 look-ahead and a copy of this survey
                      Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                      _______________________________________________
                      Cheetahtemplate-discuss mailing list
                      Cheetahtemplate-discuss@...
                      https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                    • Shannon -jj Behrens
                      Do $hasVar and $getVar meet your needs? -jj ... -- I have decided to switch to Gmail, but messages to my Yahoo account will still get through. ... SF.Net email
                      Message 10 of 26 , Apr 26, 2005
                      • 0 Attachment
                        Do $hasVar and $getVar meet your needs?

                        -jj

                        On 4/26/05, Tavis Rudd <tavis@...> wrote:
                        > ErrorCatcher is a debugging tool and was never meant for use in production
                        > systems. What would lead you to have NotFound errors in production?
                        >
                        > On Tuesday 26 April 2005 02:20, Brian Bird wrote:
                        > > If nobody uses errorCatcher, perhaps there's a better way to achieve what
                        > > I'm trying to do?
                        > >
                        > > I want any $placeholder variable to be replaced by a blank string if it
                        > > cannot be found in the namespaces, instead of raising a NotFound exception.
                        > > I've done some digging and the best suggestion seems to be to put something
                        > > like this as the last object in the searchList passed to the Template
                        > > constructor:
                        > >
                        > > class catchall:
                        > > def __getitem__(self, key):
                        > > return ""
                        > >
                        > > This works for any normal $placeholder, but it masks any #def functions
                        > > defined in the template.
                        > >
                        > > It seems to be because Template.py appends "self" to the end of it's
                        > > searchList which means the catchall will be used before any definitions in
                        > > the template object.
                        > >
                        > > Any suggestions?
                        > >
                        > > Thanks,
                        > > Brian
                        > >
                        > >
                        > > -----Original Message-----
                        > > From: Shannon -jj Behrens [mailto:jjinux@...]
                        > > Sent: 25 April 2005 22:22
                        > > To: Tavis Rudd
                        > > Cc: cheetahtemplate-discuss@...; Brian Bird; Scott
                        > > Sanders; Ian Bicking
                        > > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                        > >
                        > > No one in the Aquarium world uses it, that I've ever seen.
                        > >
                        > > On 4/25/05, Tavis Rudd <tavis@...> wrote:
                        > > > That's both a bug and a gap in our unit tests.
                        > > > I'll fix it up for tomorrow.
                        > > >
                        > > > On a side-note, I've never once used errorCatcher. Do many people
                        > > > here use it?
                        > >
                        > > --
                        > > I have decided to switch to Gmail, but messages to my Yahoo account will
                        > > still get through.
                        > >
                        > >
                        > >
                        > > -------------------------------------------------------
                        > > SF email is sponsored by - The IT Product Guide
                        > > Read honest & candid reviews on hundreds of IT Products from real users.
                        > > Discover which products truly live up to the hype. Start reading now.
                        > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                        > > _______________________________________________
                        > > Cheetahtemplate-discuss mailing list
                        > > Cheetahtemplate-discuss@...
                        > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                        >
                        > -------------------------------------------------------
                        > SF.Net email is sponsored by: Tell us your software development plans!
                        > Take this survey and enter to win a one-year sub to SourceForge.net
                        > Plus IDC's 2005 look-ahead and a copy of this survey
                        > Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                        > _______________________________________________
                        > Cheetahtemplate-discuss mailing list
                        > Cheetahtemplate-discuss@...
                        > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                        >


                        --
                        I have decided to switch to Gmail, but messages to my Yahoo account will
                        still get through.


                        -------------------------------------------------------
                        SF.Net email is sponsored by: Tell us your software development plans!
                        Take this survey and enter to win a one-year sub to SourceForge.net
                        Plus IDC's 2005 look-ahead and a copy of this survey
                        Click here to start! http://www.idcswdc.com/cgi-bin/survey?id5hix
                        _______________________________________________
                        Cheetahtemplate-discuss mailing list
                        Cheetahtemplate-discuss@...
                        https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                      • Brian Bird
                        Ok, here s my (hopefully simplified) case where NotFound exceptions are being raised in production: On an html page, a link is provided to a page.cgi script
                        Message 11 of 26 , Apr 27, 2005
                        • 0 Attachment
                          Ok, here's my (hopefully simplified) case where NotFound exceptions are
                          being raised in production:

                          On an html page, a link is provided to a page.cgi script which generates a
                          form using cheetah:

                          <FORM METHOD=POST ACTION="">
                          My Field <INPUT TYPE=text NAME="myfield" VALUE="$myfield">
                          My 2nd Field <INPUT TYPE=text NAME="myfield2" VALUE="$myfield2">
                          <INPUT TYPE=submit>
                          </FORM>

                          The basic idea is that the cgi script will re-display the form to the user
                          until the form has been filled in correctly. The cheetah namespace is made
                          up primarily of the data POSTed to the form.
                          The first time the form is displayed the variables $myfield and $myfield2
                          don't exist in the namespace because no data was POSTed.

                          Now, the obvious solution seems to be for the template or the cgi script
                          itself to default these variables to an empty string. Unfortunately, in my
                          case there are a few problems with this:

                          There's one cgi script which is used for thousands of templates - it can't
                          know all the variables.

                          Each of the templates is 'owned' by a different person and they can have
                          their own $variable names. Therefore only the template and it's owner could
                          possibly know all the fieldnames which need to have default values.

                          However, the system has to be backwards compatible with thousands of old
                          templates which do not specify the field names used (other than using the
                          string "$myfield" in the html form). These old templates weren't written for
                          use with Cheetah, but since they use the $variable format Cheetah can parse
                          them perfectly ... except in the case where the variable doesn't exist in
                          the namespace. I can't change these templates, so I can't force them to use
                          getVar() nor can I set the default values for the fields in the template.

                          The original solution I used was to patch Cheetah to return "" instead of
                          raising NotFound if a variable was missing in the namespace. This patch
                          doesn't work with 0.9.16 so I tried using errorCatcher. This isn't the best
                          solution, so I looked at the 'catchall' class (below), but this masks any
                          #def's in the new templates.

                          Hope this makes sense! If anyone has any good ideas they're appreciated. At
                          the moment, the best I've got is to create a t=Template() as normal and then
                          call "t._searchList.append(catcher())" just after instantiation. Not great
                          because it relies on a private variable, and I think it might cause some
                          problems with deeply nested values in the namespace.

                          Brian


                          -----Original Message-----
                          From: cheetahtemplate-discuss-admin@...
                          [mailto:cheetahtemplate-discuss-admin@...] On Behalf Of
                          Tavis Rudd
                          Sent: 26 April 2005 22:10
                          To: cheetahtemplate-discuss@...
                          Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

                          ErrorCatcher is a debugging tool and was never meant for use in production
                          systems. What would lead you to have NotFound errors in production?

                          On Tuesday 26 April 2005 02:20, Brian Bird wrote:
                          > If nobody uses errorCatcher, perhaps there's a better way to achieve
                          > what I'm trying to do?
                          >
                          > I want any $placeholder variable to be replaced by a blank string if
                          > it cannot be found in the namespaces, instead of raising a NotFound
                          exception.
                          > I've done some digging and the best suggestion seems to be to put
                          > something like this as the last object in the searchList passed to the
                          > Template
                          > constructor:
                          >
                          > class catchall:
                          > def __getitem__(self, key):
                          > return ""
                          >
                          > This works for any normal $placeholder, but it masks any #def
                          > functions defined in the template.
                          >
                          > It seems to be because Template.py appends "self" to the end of it's
                          > searchList which means the catchall will be used before any
                          > definitions in the template object.
                          >
                          > Any suggestions?
                          >
                          > Thanks,
                          > Brian
                          >
                          >
                          > -----Original Message-----
                          > From: Shannon -jj Behrens [mailto:jjinux@...]
                          > Sent: 25 April 2005 22:22
                          > To: Tavis Rudd
                          > Cc: cheetahtemplate-discuss@...; Brian Bird; Scott
                          > Sanders; Ian Bicking
                          > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                          >
                          > No one in the Aquarium world uses it, that I've ever seen.
                          >
                          > On 4/25/05, Tavis Rudd <tavis@...> wrote:
                          > > That's both a bug and a gap in our unit tests.
                          > > I'll fix it up for tomorrow.
                          > >
                          > > On a side-note, I've never once used errorCatcher. Do many people
                          > > here use it?
                          >
                          > --
                          > I have decided to switch to Gmail, but messages to my Yahoo account
                          > will still get through.
                          >
                          >
                          >
                          > -------------------------------------------------------
                          > SF email is sponsored by - The IT Product Guide Read honest & candid
                          > reviews on hundreds of IT Products from real users.
                          > Discover which products truly live up to the hype. Start reading now.
                          > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                          > _______________________________________________
                          > Cheetahtemplate-discuss mailing list
                          > Cheetahtemplate-discuss@...
                          > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss


                          -------------------------------------------------------
                          SF.Net email is sponsored by: Tell us your software development plans!
                          Take this survey and enter to win a one-year sub to SourceForge.net Plus
                          IDC's 2005 look-ahead and a copy of this survey Click here to start!
                          http://www.idcswdc.com/cgi-bin/survey?id=105hix
                          _______________________________________________
                          Cheetahtemplate-discuss mailing list
                          Cheetahtemplate-discuss@...
                          https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss



                          -------------------------------------------------------
                          SF.Net email is sponsored by: Tell us your software development plans!
                          Take this survey and enter to win a one-year sub to SourceForge.net
                          Plus IDC's 2005 look-ahead and a copy of this survey
                          Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                          _______________________________________________
                          Cheetahtemplate-discuss mailing list
                          Cheetahtemplate-discuss@...
                          https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                        • Mike Orr
                          ... Clearly, Cheetah isn t guaranteed to work with non-Cheetah templates. But since the template has to be compiled anyway before using, why not insert a step
                          Message 12 of 26 , Apr 27, 2005
                          • 0 Attachment
                            Brian Bird wrote:

                            >However, the system has to be backwards compatible with thousands of old
                            >templates which do not specify the field names used (other than using the
                            >string "$myfield" in the html form). These old templates weren't written for
                            >use with Cheetah, but since they use the $variable format Cheetah can parse
                            >them perfectly ... except in the case where the variable doesn't exist in
                            >the namespace. I can't change these templates, so I can't force them to use
                            >getVar() nor can I set the default values for the fields in the template.
                            >
                            >

                            Clearly, Cheetah isn't guaranteed to work with non-Cheetah templates.
                            But since the template has to be compiled anyway before using, why not
                            insert a step that translates $var to $getVar('var') ?

                            import re
                            from Cheetah.Template import Template
                            rx = re.compile( R'\$([a-z][a-z0-9]*' )
                            f = open(filename)
                            tmpl = f.read()
                            f.close()
                            tmpl = rx.sub(tmpl, R'$getVar("\1")' )
                            t = Template(tmpl)

                            I assume the non-Cheetah templates won't have complicated expressions
                            like $placeholder.attr and $placeholder[$key + 's'] .


                            -------------------------------------------------------
                            SF.Net email is sponsored by: Tell us your software development plans!
                            Take this survey and enter to win a one-year sub to SourceForge.net
                            Plus IDC's 2005 look-ahead and a copy of this survey
                            Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                            _______________________________________________
                            Cheetahtemplate-discuss mailing list
                            Cheetahtemplate-discuss@...
                            https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                          • Shannon -jj Behrens
                            Interesting. Notice that when you say $myfield, you re not HTML escaping it. Hence, it s open to the cross site scripting vulnerabilities, unless I m missing
                            Message 13 of 26 , Apr 27, 2005
                            • 0 Attachment
                              Interesting. Notice that when you say $myfield, you're not HTML
                              escaping it. Hence, it's open to the cross site scripting
                              vulnerabilities, unless I'm missing something :-/

                              When you brought up the catchall solution, you were putting the
                              catchall instance in your searchList. What if you instead add a
                              __getattr__ to your template superclass that acts as a catchall. It's
                              easy to update the superclass for tons of templates, and this would
                              solve the problem of masked template methods.

                              Hope that helps.

                              Best Regards,
                              -jj

                              On 4/27/05, Brian Bird <brian.bird@...> wrote:
                              > Ok, here's my (hopefully simplified) case where NotFound exceptions are
                              > being raised in production:
                              >
                              > On an html page, a link is provided to a page.cgi script which generates a
                              > form using cheetah:
                              >
                              > <FORM METHOD=POST ACTION="">
                              > My Field <INPUT TYPE=text NAME="myfield" VALUE="$myfield">
                              > My 2nd Field <INPUT TYPE=text NAME="myfield2" VALUE="$myfield2">
                              > <INPUT TYPE=submit>
                              > </FORM>
                              >
                              > The basic idea is that the cgi script will re-display the form to the user
                              > until the form has been filled in correctly. The cheetah namespace is made
                              > up primarily of the data POSTed to the form.
                              > The first time the form is displayed the variables $myfield and $myfield2
                              > don't exist in the namespace because no data was POSTed.
                              >
                              > Now, the obvious solution seems to be for the template or the cgi script
                              > itself to default these variables to an empty string. Unfortunately, in my
                              > case there are a few problems with this:
                              >
                              > There's one cgi script which is used for thousands of templates - it can't
                              > know all the variables.
                              >
                              > Each of the templates is 'owned' by a different person and they can have
                              > their own $variable names. Therefore only the template and it's owner could
                              > possibly know all the fieldnames which need to have default values.
                              >
                              > However, the system has to be backwards compatible with thousands of old
                              > templates which do not specify the field names used (other than using the
                              > string "$myfield" in the html form). These old templates weren't written for
                              > use with Cheetah, but since they use the $variable format Cheetah can parse
                              > them perfectly ... except in the case where the variable doesn't exist in
                              > the namespace. I can't change these templates, so I can't force them to use
                              > getVar() nor can I set the default values for the fields in the template.
                              >
                              > The original solution I used was to patch Cheetah to return "" instead of
                              > raising NotFound if a variable was missing in the namespace. This patch
                              > doesn't work with 0.9.16 so I tried using errorCatcher. This isn't the best
                              > solution, so I looked at the 'catchall' class (below), but this masks any
                              > #def's in the new templates.
                              >
                              > Hope this makes sense! If anyone has any good ideas they're appreciated. At
                              > the moment, the best I've got is to create a t=Template() as normal and then
                              > call "t._searchList.append(catcher())" just after instantiation. Not great
                              > because it relies on a private variable, and I think it might cause some
                              > problems with deeply nested values in the namespace.
                              >
                              > Brian
                              >
                              > -----Original Message-----
                              > From: cheetahtemplate-discuss-admin@...
                              > [mailto:cheetahtemplate-discuss-admin@...] On Behalf Of
                              > Tavis Rudd
                              > Sent: 26 April 2005 22:10
                              > To: cheetahtemplate-discuss@...
                              > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                              >
                              > ErrorCatcher is a debugging tool and was never meant for use in production
                              > systems. What would lead you to have NotFound errors in production?
                              >
                              > On Tuesday 26 April 2005 02:20, Brian Bird wrote:
                              > > If nobody uses errorCatcher, perhaps there's a better way to achieve
                              > > what I'm trying to do?
                              > >
                              > > I want any $placeholder variable to be replaced by a blank string if
                              > > it cannot be found in the namespaces, instead of raising a NotFound
                              > exception.
                              > > I've done some digging and the best suggestion seems to be to put
                              > > something like this as the last object in the searchList passed to the
                              > > Template
                              > > constructor:
                              > >
                              > > class catchall:
                              > > def __getitem__(self, key):
                              > > return ""
                              > >
                              > > This works for any normal $placeholder, but it masks any #def
                              > > functions defined in the template.
                              > >
                              > > It seems to be because Template.py appends "self" to the end of it's
                              > > searchList which means the catchall will be used before any
                              > > definitions in the template object.
                              > >
                              > > Any suggestions?
                              > >
                              > > Thanks,
                              > > Brian
                              > >
                              > >
                              > > -----Original Message-----
                              > > From: Shannon -jj Behrens [mailto:jjinux@...]
                              > > Sent: 25 April 2005 22:22
                              > > To: Tavis Rudd
                              > > Cc: cheetahtemplate-discuss@...; Brian Bird; Scott
                              > > Sanders; Ian Bicking
                              > > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                              > >
                              > > No one in the Aquarium world uses it, that I've ever seen.
                              > >
                              > > On 4/25/05, Tavis Rudd <tavis@...> wrote:
                              > > > That's both a bug and a gap in our unit tests.
                              > > > I'll fix it up for tomorrow.
                              > > >
                              > > > On a side-note, I've never once used errorCatcher. Do many people
                              > > > here use it?
                              > >
                              > > --
                              > > I have decided to switch to Gmail, but messages to my Yahoo account
                              > > will still get through.
                              > >
                              > >
                              > >
                              > > -------------------------------------------------------
                              > > SF email is sponsored by - The IT Product Guide Read honest & candid
                              > > reviews on hundreds of IT Products from real users.
                              > > Discover which products truly live up to the hype. Start reading now.
                              > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                              > > _______________________________________________
                              > > Cheetahtemplate-discuss mailing list
                              > > Cheetahtemplate-discuss@...
                              > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                              >
                              > -------------------------------------------------------
                              > SF.Net email is sponsored by: Tell us your software development plans!
                              > Take this survey and enter to win a one-year sub to SourceForge.net Plus
                              > IDC's 2005 look-ahead and a copy of this survey Click here to start!
                              > http://www.idcswdc.com/cgi-bin/survey?id=105hix
                              > _______________________________________________
                              > Cheetahtemplate-discuss mailing list
                              > Cheetahtemplate-discuss@...
                              > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                              >
                              > -------------------------------------------------------
                              > SF.Net email is sponsored by: Tell us your software development plans!
                              > Take this survey and enter to win a one-year sub to SourceForge.net
                              > Plus IDC's 2005 look-ahead and a copy of this survey
                              > Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                              > _______________________________________________
                              > Cheetahtemplate-discuss mailing list
                              > Cheetahtemplate-discuss@...
                              > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                              >


                              --
                              I have decided to switch to Gmail, but messages to my Yahoo account will
                              still get through.


                              -------------------------------------------------------
                              SF.Net email is sponsored by: Tell us your software development plans!
                              Take this survey and enter to win a one-year sub to SourceForge.net
                              Plus IDC's 2005 look-ahead and a copy of this survey
                              Click here to start! http://www.idcswdc.com/cgi-bin/survey?id5hix
                              _______________________________________________
                              Cheetahtemplate-discuss mailing list
                              Cheetahtemplate-discuss@...
                              https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                            • mso@oz.net
                              ... Brian can try: #filter WebSafe ... SF.Net email is sponsored by: Tell us your software development plans! Take this survey and enter to win a one-year sub
                              Message 14 of 26 , Apr 27, 2005
                              • 0 Attachment
                                JJ wrote:
                                > Interesting. Notice that when you say $myfield, you're not HTML
                                > escaping it. Hence, it's open to the cross site scripting
                                > vulnerabilities, unless I'm missing something :-/

                                Brian can try:

                                #filter WebSafe





                                -------------------------------------------------------
                                SF.Net email is sponsored by: Tell us your software development plans!
                                Take this survey and enter to win a one-year sub to SourceForge.net
                                Plus IDC's 2005 look-ahead and a copy of this survey
                                Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                                _______________________________________________
                                Cheetahtemplate-discuss mailing list
                                Cheetahtemplate-discuss@...
                                https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                              • Shannon -jj Behrens
                                Crud. I had forgotten all about that because I so often call other methods, etc. I usually just pass things through Aquarium s $htmlent($value), for which
                                Message 15 of 26 , Apr 27, 2005
                                • 0 Attachment
                                  Crud. I had forgotten all about that because I so often call other
                                  methods, etc. I usually just pass things through Aquarium's
                                  $htmlent($value), for which I've received a lot of heat from "more
                                  forgetful" programmers :-/

                                  -jj

                                  On 4/27/05, mso@... <mso@...> wrote:
                                  > JJ wrote:
                                  > > Interesting. Notice that when you say $myfield, you're not HTML
                                  > > escaping it. Hence, it's open to the cross site scripting
                                  > > vulnerabilities, unless I'm missing something :-/
                                  >
                                  > Brian can try:
                                  >
                                  > #filter WebSafe

                                  --
                                  I have decided to switch to Gmail, but messages to my Yahoo account will
                                  still get through.


                                  -------------------------------------------------------
                                  SF.Net email is sponsored by: Tell us your software development plans!
                                  Take this survey and enter to win a one-year sub to SourceForge.net
                                  Plus IDC's 2005 look-ahead and a copy of this survey
                                  Click here to start! http://www.idcswdc.com/cgi-bin/survey?id5hix
                                  _______________________________________________
                                  Cheetahtemplate-discuss mailing list
                                  Cheetahtemplate-discuss@...
                                  https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                • Brian Bird
                                  Sounds good (although it feels a bit inefficient). Alternatively, I notice there s also another thread with people suggesting that $?var or $!var should
                                  Message 16 of 26 , Apr 28, 2005
                                  • 0 Attachment
                                    Sounds good (although it feels a bit inefficient).

                                    Alternatively, I notice there's also another thread with people suggesting
                                    that $?var or $!var should default to "".

                                    Would anyone object to having an optional parameter to the Template
                                    constructor which specifies a default value for any variable not in the
                                    namespaces? If not specified the Template could raise NotFound as usual.
                                    Seems like a simple enough solution.

                                    Brian

                                    -----Original Message-----
                                    From: cheetahtemplate-discuss-admin@...
                                    [mailto:cheetahtemplate-discuss-admin@...] On Behalf Of
                                    Mike Orr
                                    Sent: 27 April 2005 15:16
                                    To: Brian Bird; cheetahtemplate-discuss@...
                                    Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

                                    Brian Bird wrote:

                                    >However, the system has to be backwards compatible with thousands of
                                    >old templates which do not specify the field names used (other than
                                    >using the string "$myfield" in the html form). These old templates
                                    >weren't written for use with Cheetah, but since they use the $variable
                                    >format Cheetah can parse them perfectly ... except in the case where
                                    >the variable doesn't exist in the namespace. I can't change these
                                    >templates, so I can't force them to use
                                    >getVar() nor can I set the default values for the fields in the template.
                                    >
                                    >

                                    Clearly, Cheetah isn't guaranteed to work with non-Cheetah templates.
                                    But since the template has to be compiled anyway before using, why not
                                    insert a step that translates $var to $getVar('var') ?

                                    import re
                                    from Cheetah.Template import Template
                                    rx = re.compile( R'\$([a-z][a-z0-9]*' )
                                    f = open(filename)
                                    tmpl = f.read()
                                    f.close()
                                    tmpl = rx.sub(tmpl, R'$getVar("\1")' )
                                    t = Template(tmpl)

                                    I assume the non-Cheetah templates won't have complicated expressions like
                                    $placeholder.attr and $placeholder[$key + 's'] .


                                    -------------------------------------------------------
                                    SF.Net email is sponsored by: Tell us your software development plans!
                                    Take this survey and enter to win a one-year sub to SourceForge.net
                                    Plus IDC's 2005 look-ahead and a copy of this survey
                                    Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                                    _______________________________________________
                                    Cheetahtemplate-discuss mailing list
                                    Cheetahtemplate-discuss@...
                                    https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss



                                    -------------------------------------------------------
                                    SF.Net email is sponsored by: Tell us your software development plans!
                                    Take this survey and enter to win a one-year sub to SourceForge.net
                                    Plus IDC's 2005 look-ahead and a copy of this survey
                                    Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                                    _______________________________________________
                                    Cheetahtemplate-discuss mailing list
                                    Cheetahtemplate-discuss@...
                                    https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                  • Brian Bird
                                    The real code uses a filter - I was trying not to confuse the issue in my example though :-) Brian ... From: Shannon -jj Behrens [mailto:jjinux@gmail.com]
                                    Message 17 of 26 , Apr 28, 2005
                                    • 0 Attachment
                                      The real code uses a filter - I was trying not to confuse the issue in my
                                      example though :-)

                                      Brian

                                      -----Original Message-----
                                      From: Shannon -jj Behrens [mailto:jjinux@...]
                                      Sent: 28 April 2005 06:39
                                      To: mso@...
                                      Cc: Brian Bird; Tavis Rudd; cheetahtemplate-discuss@...
                                      Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

                                      Crud. I had forgotten all about that because I so often call other methods,
                                      etc. I usually just pass things through Aquarium's $htmlent($value), for
                                      which I've received a lot of heat from "more forgetful" programmers :-/

                                      -jj

                                      On 4/27/05, mso@... <mso@...> wrote:
                                      > JJ wrote:
                                      > > Interesting. Notice that when you say $myfield, you're not HTML
                                      > > escaping it. Hence, it's open to the cross site scripting
                                      > > vulnerabilities, unless I'm missing something :-/
                                      >
                                      > Brian can try:
                                      >
                                      > #filter WebSafe

                                      --
                                      I have decided to switch to Gmail, but messages to my Yahoo account will
                                      still get through.



                                      -------------------------------------------------------
                                      SF.Net email is sponsored by: Tell us your software development plans!
                                      Take this survey and enter to win a one-year sub to SourceForge.net
                                      Plus IDC's 2005 look-ahead and a copy of this survey
                                      Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                                      _______________________________________________
                                      Cheetahtemplate-discuss mailing list
                                      Cheetahtemplate-discuss@...
                                      https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                    • Brian Bird
                                      Thanks for your suggestions. The __getattr__ idea seems to work in simple cases, but I think I may have discovered another problem with 0.9.16 though. I ll
                                      Message 18 of 26 , May 10, 2005
                                      • 0 Attachment
                                        Thanks for your suggestions. The __getattr__ idea seems to work in simple
                                        cases, but I think I may have discovered another problem with 0.9.16 though.
                                        I'll start another thread though since it's nothing to do with Security.

                                        Thanks,
                                        Brian

                                        -----Original Message-----
                                        From: Shannon -jj Behrens [mailto:jjinux@...]
                                        Sent: 27 April 2005 17:23
                                        To: Brian Bird
                                        Cc: Tavis Rudd; cheetahtemplate-discuss@...
                                        Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?

                                        Interesting. Notice that when you say $myfield, you're not HTML escaping
                                        it. Hence, it's open to the cross site scripting vulnerabilities, unless
                                        I'm missing something :-/

                                        When you brought up the catchall solution, you were putting the catchall
                                        instance in your searchList. What if you instead add a __getattr__ to your
                                        template superclass that acts as a catchall. It's easy to update the
                                        superclass for tons of templates, and this would solve the problem of masked
                                        template methods.

                                        Hope that helps.

                                        Best Regards,
                                        -jj

                                        On 4/27/05, Brian Bird <brian.bird@...> wrote:
                                        > Ok, here's my (hopefully simplified) case where NotFound exceptions
                                        > are being raised in production:
                                        >
                                        > On an html page, a link is provided to a page.cgi script which
                                        > generates a form using cheetah:
                                        >
                                        > <FORM METHOD=POST ACTION="">
                                        > My Field <INPUT TYPE=text NAME="myfield" VALUE="$myfield"> My 2nd
                                        > Field <INPUT TYPE=text NAME="myfield2" VALUE="$myfield2"> <INPUT
                                        > TYPE=submit> </FORM>
                                        >
                                        > The basic idea is that the cgi script will re-display the form to the
                                        > user until the form has been filled in correctly. The cheetah
                                        > namespace is made up primarily of the data POSTed to the form.
                                        > The first time the form is displayed the variables $myfield and
                                        > $myfield2 don't exist in the namespace because no data was POSTed.
                                        >
                                        > Now, the obvious solution seems to be for the template or the cgi
                                        > script itself to default these variables to an empty string.
                                        > Unfortunately, in my case there are a few problems with this:
                                        >
                                        > There's one cgi script which is used for thousands of templates - it
                                        > can't know all the variables.
                                        >
                                        > Each of the templates is 'owned' by a different person and they can
                                        > have their own $variable names. Therefore only the template and it's
                                        > owner could possibly know all the fieldnames which need to have default
                                        values.
                                        >
                                        > However, the system has to be backwards compatible with thousands of
                                        > old templates which do not specify the field names used (other than
                                        > using the string "$myfield" in the html form). These old templates
                                        > weren't written for use with Cheetah, but since they use the $variable
                                        > format Cheetah can parse them perfectly ... except in the case where
                                        > the variable doesn't exist in the namespace. I can't change these
                                        > templates, so I can't force them to use
                                        > getVar() nor can I set the default values for the fields in the template.
                                        >
                                        > The original solution I used was to patch Cheetah to return "" instead
                                        > of raising NotFound if a variable was missing in the namespace. This
                                        > patch doesn't work with 0.9.16 so I tried using errorCatcher. This
                                        > isn't the best solution, so I looked at the 'catchall' class (below),
                                        > but this masks any #def's in the new templates.
                                        >
                                        > Hope this makes sense! If anyone has any good ideas they're
                                        > appreciated. At the moment, the best I've got is to create a
                                        > t=Template() as normal and then call "t._searchList.append(catcher())"
                                        > just after instantiation. Not great because it relies on a private
                                        > variable, and I think it might cause some problems with deeply nested
                                        values in the namespace.
                                        >
                                        > Brian
                                        >
                                        > -----Original Message-----
                                        > From: cheetahtemplate-discuss-admin@...
                                        > [mailto:cheetahtemplate-discuss-admin@...] On Behalf
                                        > Of Tavis Rudd
                                        > Sent: 26 April 2005 22:10
                                        > To: cheetahtemplate-discuss@...
                                        > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                                        >
                                        > ErrorCatcher is a debugging tool and was never meant for use in
                                        > production systems. What would lead you to have NotFound errors in
                                        production?
                                        >
                                        > On Tuesday 26 April 2005 02:20, Brian Bird wrote:
                                        > > If nobody uses errorCatcher, perhaps there's a better way to achieve
                                        > > what I'm trying to do?
                                        > >
                                        > > I want any $placeholder variable to be replaced by a blank string if
                                        > > it cannot be found in the namespaces, instead of raising a NotFound
                                        > exception.
                                        > > I've done some digging and the best suggestion seems to be to put
                                        > > something like this as the last object in the searchList passed to
                                        > > the Template
                                        > > constructor:
                                        > >
                                        > > class catchall:
                                        > > def __getitem__(self, key):
                                        > > return ""
                                        > >
                                        > > This works for any normal $placeholder, but it masks any #def
                                        > > functions defined in the template.
                                        > >
                                        > > It seems to be because Template.py appends "self" to the end of it's
                                        > > searchList which means the catchall will be used before any
                                        > > definitions in the template object.
                                        > >
                                        > > Any suggestions?
                                        > >
                                        > > Thanks,
                                        > > Brian
                                        > >
                                        > >
                                        > > -----Original Message-----
                                        > > From: Shannon -jj Behrens [mailto:jjinux@...]
                                        > > Sent: 25 April 2005 22:22
                                        > > To: Tavis Rudd
                                        > > Cc: cheetahtemplate-discuss@...; Brian Bird; Scott
                                        > > Sanders; Ian Bicking
                                        > > Subject: Re: [Cheetahtemplate-discuss] Security hole in Cheetah?
                                        > >
                                        > > No one in the Aquarium world uses it, that I've ever seen.
                                        > >
                                        > > On 4/25/05, Tavis Rudd <tavis@...> wrote:
                                        > > > That's both a bug and a gap in our unit tests.
                                        > > > I'll fix it up for tomorrow.
                                        > > >
                                        > > > On a side-note, I've never once used errorCatcher. Do many people
                                        > > > here use it?
                                        > >
                                        > > --
                                        > > I have decided to switch to Gmail, but messages to my Yahoo account
                                        > > will still get through.
                                        > >
                                        > >
                                        > >
                                        > > -------------------------------------------------------
                                        > > SF email is sponsored by - The IT Product Guide Read honest & candid
                                        > > reviews on hundreds of IT Products from real users.
                                        > > Discover which products truly live up to the hype. Start reading now.
                                        > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
                                        > > _______________________________________________
                                        > > Cheetahtemplate-discuss mailing list
                                        > > Cheetahtemplate-discuss@...
                                        > > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                        >
                                        > -------------------------------------------------------
                                        > SF.Net email is sponsored by: Tell us your software development plans!
                                        > Take this survey and enter to win a one-year sub to SourceForge.net
                                        > Plus IDC's 2005 look-ahead and a copy of this survey Click here to start!
                                        > http://www.idcswdc.com/cgi-bin/survey?id=105hix
                                        > _______________________________________________
                                        > Cheetahtemplate-discuss mailing list
                                        > Cheetahtemplate-discuss@...
                                        > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                        >
                                        > -------------------------------------------------------
                                        > SF.Net email is sponsored by: Tell us your software development plans!
                                        > Take this survey and enter to win a one-year sub to SourceForge.net
                                        > Plus IDC's 2005 look-ahead and a copy of this survey Click here to
                                        > start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
                                        > _______________________________________________
                                        > Cheetahtemplate-discuss mailing list
                                        > Cheetahtemplate-discuss@...
                                        > https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                        >


                                        --
                                        I have decided to switch to Gmail, but messages to my Yahoo account will
                                        still get through.



                                        -------------------------------------------------------
                                        This SF.Net email is sponsored by Oracle Space Sweepstakes
                                        Want to be the first software developer in space?
                                        Enter now for the Oracle Space Sweepstakes!
                                        http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
                                        _______________________________________________
                                        Cheetahtemplate-discuss mailing list
                                        Cheetahtemplate-discuss@...
                                        https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
                                      Your message has been successfully submitted and would be delivered to recipients shortly.