[Checkins] SVN: Zope3/branches/3.3/ - Fixed issue 574: security exposure of TALES namespaces

Christian Theune ct at gocept.com
Tue Aug 15 08:09:33 EDT 2006


Log message for revision 69506:
   - Fixed issue 574: security exposure of TALES namespaces
  

Changed:
  U   Zope3/branches/3.3/doc/CHANGES.txt
  U   Zope3/branches/3.3/src/zope/app/homefolder/tests.py
  U   Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml
  U   Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py
  U   Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py
  U   Zope3/branches/3.3/src/zope/app/session/configure.zcml

-=-
Modified: Zope3/branches/3.3/doc/CHANGES.txt
===================================================================
--- Zope3/branches/3.3/doc/CHANGES.txt	2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/doc/CHANGES.txt	2006-08-15 12:09:32 UTC (rev 69506)
@@ -10,6 +10,9 @@
 
     Bugfixes
 
+      - Fixed issue 574: Page template traversal adapters were not correctly
+        proxied.
+
       - Fixed issue 682: Quoting of realm in HTTP basic authentication was not
         conforming to RFC 2617.
 

Modified: Zope3/branches/3.3/src/zope/app/homefolder/tests.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/homefolder/tests.py	2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/homefolder/tests.py	2006-08-15 12:09:32 UTC (rev 69506)
@@ -33,6 +33,9 @@
 from zope.app.homefolder.homefolder import HomeFolder, getHomeFolder
 from zope.app.homefolder.interfaces import IHomeFolder
 
+from zope.app.folder.folder import Folder
+from zope.app.folder.interfaces import IFolder
+from zope.security.checker import InterfaceChecker, defineChecker
 
 def homeFolderSetUp(test):
     placelesssetup.setUp()    
@@ -40,6 +43,7 @@
     setup.setUpTraversal()
 
     classImplements(File, IAttributeAnnotatable)
+
     ztapi.provideAdapter(IAnnotatable, IPrincipalRoleManager,
                          AnnotationPrincipalRoleManager)
     ztapi.provideAdapter(IPrincipal, IHomeFolder,
@@ -47,6 +51,9 @@
     ztapi.provideAdapter(IPrincipal, IPathAdapter,
                          getHomeFolder,
                          name="homefolder")
+    
+    testChecker = InterfaceChecker(IFolder)
+    defineChecker(Folder, testChecker)
 
     
 def test_suite():

Modified: Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml
===================================================================
--- Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml	2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml	2006-08-15 12:09:32 UTC (rev 69506)
@@ -11,12 +11,21 @@
       name="zope" 
       />
 
+  <class class=".talesapi.ZopeTalesAPI">
+    <allow interface="zope.tales.interfaces.ITALESFunctionNamespace"/>
+    <allow attributes="title description created modified name title_or_name size"/>
+  </class>
+
   <adapter
       for="*"
       provides="zope.traversing.interfaces.IPathAdapter"
       factory=".urlquote.URLQuote"
       name="url"/> 
 
+  <class class=".urlquote.URLQuote">
+    <allow attributes="quote quote_plus unquote unquote_plus"/>
+  </class> 
+
  <class class="zope.tales.tales.Iterator">
     <allow interface="zope.tales.interfaces.ITALESIterator" />
  </class>

Modified: Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py	2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py	2006-08-15 12:09:32 UTC (rev 69506)
@@ -249,7 +249,34 @@
         return namespace
 
 
-class ZopeEngine(ExpressionEngine):
+class ZopeBaseEngine(ExpressionEngine):
+
+    _create_context = ZopeContext
+
+    def __init__(self):
+        ExpressionEngine.__init__(self)
+        self.namespaces = AdapterNamespaces()
+
+    def getContext(self, __namespace=None, **namespace):
+        if __namespace:
+            if namespace:
+                namespace.update(__namespace)
+            else:
+                namespace = __namespace
+
+        context = self._create_context(self, namespace)
+
+        # Put request into context so path traversal can find it
+        if 'request' in namespace:
+            context.request = namespace['request']
+
+        # Put context into context so path traversal can find it
+        if 'context' in namespace:
+            context.context = namespace['context']
+
+        return context
+
+class ZopeEngine(ZopeBaseEngine):
     """Untrusted expression engine.
 
     This engine does not allow modules to be imported; only modules
@@ -355,33 +382,12 @@
 
     """
 
-    _create_context = ZopeContext
+    def getFunctionNamespace(self, namespacename):
+        """ Returns the function namespace """
+        return ProxyFactory(
+            super(ZopeEngine, self).getFunctionNamespace(namespacename))
 
-    def __init__(self):
-        ExpressionEngine.__init__(self)
-        self.namespaces = AdapterNamespaces()
-
-    def getContext(self, __namespace=None, **namespace):
-        if __namespace:
-            if namespace:
-                namespace.update(__namespace)
-            else:
-                namespace = __namespace
-
-        context = self._create_context(self, namespace)
-
-        # Put request into context so path traversal can find it
-        if 'request' in namespace:
-            context.request = namespace['request']
-
-        # Put context into context so path traversal can find it
-        if 'context' in namespace:
-            context.context = namespace['context']
-
-        return context
-
-
-class TrustedZopeEngine(ZopeEngine):
+class TrustedZopeEngine(ZopeBaseEngine):
     """Trusted expression engine.
 
     This engine allows modules to be imported::

Modified: Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py	2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py	2006-08-15 12:09:32 UTC (rev 69506)
@@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Copyright (c) 2004 Zope Corporation and Contributors.
+# Copyright (c) 2004-2006 Zope Corporation and Contributors.
 # All Rights Reserved.
 #
 # This software is subject to the provisions of the Zope Public License,
@@ -11,15 +11,44 @@
 # FOR A PARTICULAR PURPOSE.
 #
 ##############################################################################
-"""Doc tests for the pagentemplate's 'engine' module
+"""Doc tests for the pagetemplate's 'engine' module
 
 $Id$
 """
 import unittest
 from zope.testing.doctestunit import DocTestSuite
 
+import zope.component
+from zope.app.pagetemplate.engine import _Engine
+from zope.proxy import isProxy
+from zope.traversing.interfaces import IPathAdapter
+
+class DummyNamespace(object):
+
+    def __init__(self, context):
+        self.context = context
+
+class EngineTests(unittest.TestCase):
+
+    def setUp(self):
+        gsm = zope.component.getGlobalSiteManager()
+        gsm.registerAdapter(DummyNamespace, required=(), provided=IPathAdapter, name='test')
+
+    def tearDown(self):
+        gsm = zope.component.getGlobalSiteManager()
+        gsm.unregisterAdapter(DummyNamespace, required=(), provided=IPathAdapter, name='test')
+
+    def test_issue574(self):
+        engine = _Engine()
+        namespace = engine.getFunctionNamespace('test')
+        self.failUnless(isProxy(namespace))
+
+
 def test_suite():
-    return DocTestSuite('zope.app.pagetemplate.engine')
+    suite = unittest.TestSuite()
+    suite.addTest(DocTestSuite('zope.app.pagetemplate.engine'))
+    suite.addTest(unittest.makeSuite(EngineTests))
+    return suite
 
 if __name__ == '__main__':
     unittest.main(defaultTest='test_suite')

Modified: Zope3/branches/3.3/src/zope/app/session/configure.zcml
===================================================================
--- Zope3/branches/3.3/src/zope/app/session/configure.zcml	2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/session/configure.zcml	2006-08-15 12:09:32 UTC (rev 69506)
@@ -23,7 +23,6 @@
       provides="zope.traversing.interfaces.IPathAdapter"
       factory=".session.Session"
       name="session"
-      permission="zope.Public"
       />
 
   <class class=".session.Session">



More information about the Checkins mailing list