Merge pull request from GHSA-qcx9-j53g-ccgf

zopefoundation · Jul 30, 2021 · b42dd4b · b42dd4b
1 parent 5af868c
commit b42dd4b
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -6,7 +6,8 @@ For changes before version 3.0, see ``HISTORY.rst``.
 5.1 (unreleased)
 ----------------
 
-- Nothing changed yet.
+- Fix a remote code execution issue by preventing access to
+  ``string.Formatter`` from restricted code.
 
 
 5.0 (2020-10-07)

diff --git a/src/AccessControl/ZopeGuards.py b/src/AccessControl/ZopeGuards.py
@@ -30,6 +30,7 @@
 from RestrictedPython.Utilities import utility_builtins
 from zExceptions import Unauthorized
 
+from AccessControl.SecurityInfo import ModuleSecurityInfo
 from AccessControl.SecurityInfo import secureModule
 from AccessControl.SecurityManagement import getSecurityManager
 from AccessControl.SimpleObjectPolicies import ContainerAssertions
@@ -57,6 +58,13 @@
 math.__allow_access_to_unprotected_subobjects__ = 1
 random.__allow_access_to_unprotected_subobjects__ = 1
 
+# Mark some unprotected module attributes as private, these should not be
+# used in untrusted Python code such as Scripts (Python)
+string_modsec = ModuleSecurityInfo('string')
+for name in ('Formatter', 'Template'):
+    string_modsec.declarePrivate(name)  # NOQA: D001
+secureModule('string')
+
 # AccessControl.Implementation inserts these names into this module as
 # module globals:  aq_validate, guarded_getattr
 

diff --git a/src/AccessControl/tests/testZopeSecurityPolicy.py b/src/AccessControl/tests/testZopeSecurityPolicy.py
@@ -278,6 +278,19 @@ def testAccessToSimpleContainer(self):
         c.attr = PublicMethod()
         self.assertPolicyAllows(c, 'attr')
 
+    def testAccessToStringModule(self):
+        # The string module is available to restricted code and its members are
+        # explicitly allowed via a
+        # ``__allow_access_to_unprotected_subobjects__`` declaration. However,
+        # a few classes are exempted and declared private, they can indirectly
+        # provide uncontrolled access to system libraries from within
+        # restricted code.
+        import string
+
+        self.assertPolicyAllows(string, 'printable')
+        self.assertPolicyDenies(string, 'Formatter')
+        self.assertPolicyDenies(string, 'Template')
+
     def testUnicodeAttributeLookups(self):
         item = self.item
         r_item = self.a.r_item