[Checkins] SVN: z3c.layer.pagelet/branches/adamg-backportfixes/ r96915
Adam Groszer
agroszer at gmail.com
Fri Apr 3 04:44:07 EDT 2009
Log message for revision 98821:
r96915
Fixed security issue: The traverser defined for ``IPageletBrowserLayer`` was a trusted adapter, so the security proxy got removed from each traversed object. Thus all sub-objects were publically accessable, too.
BUT got 2 errors (most probably security)
Changed:
U z3c.layer.pagelet/branches/adamg-backportfixes/CHANGES.txt
U z3c.layer.pagelet/branches/adamg-backportfixes/buildout.cfg
U z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/README.txt
U z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/__init__.py
A z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/bugfixes.txt
U z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/ftesting.zcml
U z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/test_layer.py
U z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/zope.traversing.browser.zcml
-=-
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/CHANGES.txt
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/CHANGES.txt 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/CHANGES.txt 2009-04-03 08:44:06 UTC (rev 98821)
@@ -5,6 +5,11 @@
1.0.2dev (unreleased)
---------------------
+- **Security issue:** The traverser defined for
+ ``IPageletBrowserLayer`` was a trusted adapter, so the security
+ proxy got removed from each traversed object. Thus all sub-objects
+ were publically accessable, too.
+
- Bugfix: use IContentTemplate instead of IPageTemplate which avoids to get the
layout template if no IPageTemplate is registered
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/buildout.cfg
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/buildout.cfg 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/buildout.cfg 2009-04-03 08:44:06 UTC (rev 98821)
@@ -1,8 +1,23 @@
+#
+# remove KGS 3.4 before commit!!!!!!!!!!!!
+#
+
[buildout]
+extends = http://download.zope.org/zope3.4/3.4.0/versions.cfg
+versions = versions
develop = .
parts = test checker coverage
+[versions]
+z3c.indexer = 0.5.1
+z3c.authenticator = 0.6.0
+zc.configuration = 1.0
+z3c.jsonrpc = 0.5.2
+z3c.menu.ready2go = 0.5.1
+z3c.searcher = 0.5.1
+
+
[test]
recipe = zc.recipe.testrunner
eggs = z3c.layer.pagelet [test]
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/README.txt
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/README.txt 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/README.txt 2009-04-03 08:44:06 UTC (rev 98821)
@@ -47,7 +47,7 @@
>>> manager = Browser()
>>> manager.addHeader('Authorization', 'Basic mgr:mgrpw')
-Check if we can access the ``page.html`` view which is registred in the
+Check if we can access the ``page.html`` view which is registered in the
``ftesting.zcml`` file with our skin:
>>> manager = Browser()
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/__init__.py
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/__init__.py 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/__init__.py 2009-04-03 08:44:06 UTC (rev 98821)
@@ -54,4 +54,11 @@
def __call__(self):
raise Exception('simply system error')
- return u''
\ No newline at end of file
+ return u''
+
+
+class ContainerContentsPage(BrowserPage):
+ """Contents of a conatiner."""
+
+ def __call__(self):
+ return str([type(x) for x in self.context.values()])
Copied: z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/bugfixes.txt (from rev 96923, z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/bugfixes.txt)
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/bugfixes.txt (rev 0)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/bugfixes.txt 2009-04-03 08:44:06 UTC (rev 98821)
@@ -0,0 +1,26 @@
+==========
+ Bugfixes
+==========
+
+Traversed objects where not security proxied
+============================================
+
+When an object got traversed its security proxy was removed, so its
+sub-objects could be publically accessed. To show that this behavior
+was fixed we put a folder into the root folder and look at its
+contents using a view:
+
+ >>> import zope.app.folder
+ >>> getRootFolder()['test'] = zope.app.folder.Folder()
+
+ >>> from zope.testbrowser.testing import Browser
+ >>> manager = Browser()
+ >>> manager.addHeader('Authorization', 'Basic mgr:mgrpw')
+ >>> skinURL = 'http://localhost/++skin++PageletTestSkin'
+ >>> manager.open(skinURL + '/container_contents.html')
+
+The view displays the types of the content objects inside the root
+folder. The content objects are security proxied:
+
+ >>> print manager.contents
+ [<type 'zope.security._proxy._Proxy'>]
\ No newline at end of file
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/ftesting.zcml
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/ftesting.zcml 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/ftesting.zcml 2009-04-03 08:44:06 UTC (rev 98821)
@@ -45,6 +45,7 @@
<!-- zope core component -->
<include package="zope.annotation" />
<include package="zope.app.appsetup" />
+ <include package="zope.app.authentication" />
<include package="zope.app.component" />
<include package="zope.app.container" />
<include package="zope.app.error" />
@@ -121,6 +122,14 @@
layer="z3c.layer.pagelet.IPageletBrowserLayer"
class=".SystemErrorPage"
/>
+
+ <browser:page
+ for="*"
+ name="container_contents.html"
+ permission="zope.View"
+ layer="z3c.layer.pagelet.IPageletBrowserLayer"
+ class=".ContainerContentsPage"
+ />
</configure>
@@ -137,8 +146,8 @@
<principal
id="zope.manager"
title="Manager"
- login="Manager"
- password="password"
+ login="mgr"
+ password="mgrpw"
/>
<grant
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/test_layer.py
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/test_layer.py 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/tests/test_layer.py 2009-04-03 08:44:06 UTC (rev 98821)
@@ -1,6 +1,6 @@
##############################################################################
#
-# Copyright (c) 2007 Zope Foundation and Contributors.
+# Copyright (c) 2007-2009 Zope Foundation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
@@ -20,19 +20,27 @@
from zope.testing import renormalizing
from zope.app.testing import functional
+
functional.defineLayer('TestLayer', 'ftesting.zcml')
+
checker = renormalizing.RENormalizing([
(re.compile(r'httperror_seek_wrapper:', re.M), 'HTTPError:'),
])
+def create_suite(*args, **kw):
+ suite = functional.FunctionalDocFileSuite(*args, **kw)
+ suite.layer = TestLayer
+ return suite
+
+
def test_suite():
suite = unittest.TestSuite()
- s = functional.FunctionalDocFileSuite('../README.txt', checker=checker)
- s.layer = TestLayer
- suite.addTest(s)
+ suite.addTest(create_suite('../README.txt', checker=checker))
+ suite.addTest(create_suite('bugfixes.txt'))
return suite
+
if __name__ == '__main__':
unittest.main(defaultTest='test_suite')
Modified: z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/zope.traversing.browser.zcml
===================================================================
--- z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/zope.traversing.browser.zcml 2009-04-03 08:43:08 UTC (rev 98820)
+++ z3c.layer.pagelet/branches/adamg-backportfixes/src/z3c/layer/pagelet/zope.traversing.browser.zcml 2009-04-03 08:44:06 UTC (rev 98821)
@@ -9,7 +9,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.publication.traversers.SimpleComponentTraverser"
permission="zope.Public"
- trusted="True"
/>
<adapter
@@ -18,7 +17,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.container.traversal.ItemTraverser"
permission="zope.Public"
- trusted="True"
/>
<adapter
@@ -27,7 +25,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.container.traversal.ItemTraverser"
permission="zope.Public"
- trusted="True"
/>
<view
More information about the Checkins
mailing list