zms-publishing · cmeier76 · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 15, 2025
diff --git a/Products/zms/_confmanager.py b/Products/zms/_confmanager.py
@@ -545,6 +545,7 @@ def getConfPropertiesDefaults(self):
         {'key':'ZMS.input.file.maxlength','title':'File.upload maxlength','desc':'ZMS can limit the maximum upload-file size to the given value (in Bytes).','datatype':'string'},
         {'key':'ZMS.input.image.maxlength','title':'Image.upload maxlength','desc':'ZMS can limit the maximum upload-image size to the given value (in Bytes).','datatype':'string'},
         {'key':'ZMS.log.root','title':'ZMS.log.root','desc':'Use ZMSLog at absolute root node instead of current portal master','datatype':'boolean'},
+        {'key':'ZMS.input.exec.restrict','title':'ZMS.input.exec.restrict','desc':'Prevent usage of these keywords on standard.dt_exec','datatype':'string','default':''},
         {'key':'ZMSGraphic.superres','title':'Image superres-attribute','desc':'Super-resolution attribute for ZMS standard image-objects.','datatype':'boolean','default':0},
         {'key':'ZCatalog.TextIndexType','title':'Search with TextIndex-type','desc':'Use specified TextIndex-type (default: ZCTextIndex)','datatype':'string','default':'ZCTextIndex'},
         {'key':'ZMSIndexZCatalog.ObjectImported.reindex','title':'Reindex ZMSIndex on content import','desc':'Please be aware that activating implicit ZMSIndex-resync on content import can block bigger sites for a while','datatype':'boolean','default':0},
@@ -1183,4 +1184,5 @@ def getRegistry():
     return __REGISTRY__
 getRegistry()
 
-################################################################################
+
+################################################################################
diff --git a/Products/zms/standard.py b/Products/zms/standard.py
@@ -2329,10 +2329,13 @@ def dt_exec(context, v, o={}):
   """
   if type(v) is str:
     if v.startswith('##') and v.find('return ') > 0:
+      check_restricted_inputs(context, value=v)
       v = dt_py(context, v, o)
     elif v.find('<tal:') >= 0:
+      check_restricted_inputs(context, value=v)
       v = dt_tal(context, v, dict(o))
     elif v.find('<dtml-') >= 0:
+      check_restricted_inputs(context, value=v)
       v = dt_html(context, v, context.REQUEST)
   return v
 
@@ -2629,6 +2632,17 @@ def is_conf_enabled(context, setting):
   return pybool(conf_property)
 
 
+def check_restricted_inputs(context, value, force_restriction=False):
+    prop = context.getConfProperty('ZMS.input.exec.restrict')
+    if isinstance(prop, str) and prop.strip() != '':
+        for keyword in prop.split():
+            if keyword in value:
+                raise zExceptions.MethodNotAllowed(f'Usage of "{keyword}" is forbidden.')
+    else:
+        if force_restriction:
+            raise zExceptions.MethodNotAllowed(f'Conf property "ZMS.input.exec.restrict" not set.')
+
+
 class initutil(object):
   """Define the initialize() util."""