[Checkins] SVN: grok/branches/0.13/ Port security fix to 0.13 line too.
Martijn Faassen
faassen at infrae.com
Fri Dec 12 09:07:02 EST 2008
Log message for revision 93957:
Port security fix to 0.13 line too.
Changed:
U grok/branches/0.13/CHANGES.txt
U grok/branches/0.13/src/grok/components.py
U grok/branches/0.13/src/grok/meta.py
U grok/branches/0.13/src/grok/publication.py
U grok/branches/0.13/versions.cfg
-=-
Modified: grok/branches/0.13/CHANGES.txt
===================================================================
--- grok/branches/0.13/CHANGES.txt 2008-12-12 14:01:14 UTC (rev 93956)
+++ grok/branches/0.13/CHANGES.txt 2008-12-12 14:07:02 UTC (rev 93957)
@@ -4,7 +4,11 @@
0.13.1 (unreleased)
===================
+Bug fixes
+---------
+* Closed a bad security hole.
+
0.13 (2008-06-23)
=================
Modified: grok/branches/0.13/src/grok/components.py
===================================================================
--- grok/branches/0.13/src/grok/components.py 2008-12-12 14:01:14 UTC (rev 93956)
+++ grok/branches/0.13/src/grok/components.py 2008-12-12 14:07:02 UTC (rev 93957)
@@ -401,22 +401,19 @@
continue
resource_factories[type] = factory
-
-class DirectoryResourceFactory(object):
+class DirectoryResourceFactory(directoryresource.DirectoryResourceFactory):
# We need this to allow hooking up our own GrokDirectoryResource
# and to set the checker to None (until we have our own checker)
- def __init__(self, path, name):
- # XXX we're not sure about the checker=None here
- self.__dir = directoryresource.Directory(path, None, name)
- self.__name = name
-
def __call__(self, request):
+ # Override this method for the following line, in which our
+ # custom DirectoryResource class is instantiated.
resource = DirectoryResource(self.__dir, request)
+ resource.directory_factory = DirectoryResourceFactory
+ resource.__Security_checker__ = self.__checker
resource.__name__ = self.__name
return resource
-
class Traverser(object):
interface.implements(IBrowserPublisher)
Modified: grok/branches/0.13/src/grok/meta.py
===================================================================
--- grok/branches/0.13/src/grok/meta.py 2008-12-12 14:01:14 UTC (rev 93956)
+++ grok/branches/0.13/src/grok/meta.py 2008-12-12 14:07:02 UTC (rev 93957)
@@ -17,6 +17,7 @@
import zope.component.interface
from zope import interface, component
+from zope.security.checker import NamesChecker
from zope.publisher.interfaces.browser import (IDefaultBrowserLayer,
IBrowserRequest,
IBrowserPublisher,
@@ -326,6 +327,11 @@
return True
+allowed_resource_names = (
+ 'GET', 'HEAD', 'publishTraverse', 'browserDefault', 'request', '__call__')
+
+allowed_resourcedir_names = allowed_resource_names + ('__getitem__', 'get')
+
class StaticResourcesGrokker(martian.GlobalGrokker):
def grok(self, name, module, module_info, config, **kw):
@@ -349,8 +355,10 @@
"resource directory and a module named "
"'static.py'", module_info.getModule())
+ checker = NamesChecker(allowed_resourcedir_names)
resource_factory = components.DirectoryResourceFactory(
- resource_path, module_info.dotted_name)
+ resource_path, checker, module_info.dotted_name)
+
adapts = (IDefaultBrowserLayer,)
provides = interface.Interface
name = module_info.dotted_name
Modified: grok/branches/0.13/src/grok/publication.py
===================================================================
--- grok/branches/0.13/src/grok/publication.py 2008-12-12 14:01:14 UTC (rev 93956)
+++ grok/branches/0.13/src/grok/publication.py 2008-12-12 14:07:02 UTC (rev 93957)
@@ -27,6 +27,10 @@
BrowserFactory, XMLRPCFactory, HTTPFactory
from zope.app.http.interfaces import IHTTPException
+from zope.publisher.interfaces.browser import IBrowserView
+from grok.components import View as GrokView
+from grok.components import JSON
+
class ZopePublicationSansProxy(object):
def getApplication(self, request):
@@ -36,8 +40,16 @@
def traverseName(self, request, ob, name):
result = super(ZopePublicationSansProxy, self).traverseName(
request, ob, name)
- return removeSecurityProxy(result)
+ bare_result = removeSecurityProxy(result)
+ if IBrowserView.providedBy(bare_result):
+ if isinstance(bare_result, (GrokView, JSON)):
+ return bare_result
+ else:
+ return result
+ else:
+ return bare_result
+
def callObject(self, request, ob):
checker = selectChecker(ob)
if checker is not None:
Modified: grok/branches/0.13/versions.cfg
===================================================================
--- grok/branches/0.13/versions.cfg 2008-12-12 14:01:14 UTC (rev 93956)
+++ grok/branches/0.13/versions.cfg 2008-12-12 14:07:02 UTC (rev 93957)
@@ -100,7 +100,7 @@
zope.tal = 3.4.1
zope.tales = 3.4
zope.testbrowser = 3.4.2
-zope.testing = 3.5.1
+zope.testing = 3.6.0
zope.thread = 3.4
zope.traversing = 3.4.0
zope.viewlet = 3.4.2
More information about the Checkins
mailing list