[Checkins] SVN: z3c.layer.pagelet/trunk/ Fixed security issue: The traverser defined for ``IPageletBrowserLayer`` was a trusted adapter, so the security proxy got removed from each traversed object. Thus all sub-objects were publically accessable, too.
Michael Howitz
mh at gocept.com
Sat Feb 21 08:53:28 EST 2009
Log message for revision 96915:
Fixed security issue: The traverser defined for ``IPageletBrowserLayer`` was a trusted adapter, so the security proxy got removed from each traversed object. Thus all sub-objects were publically accessable, too.
Changed:
U z3c.layer.pagelet/trunk/CHANGES.txt
U z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/__init__.py
U z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/ftesting.zcml
U z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/test_layer.py
U z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/zope.traversing.browser.zcml
-=-
Modified: z3c.layer.pagelet/trunk/CHANGES.txt
===================================================================
--- z3c.layer.pagelet/trunk/CHANGES.txt 2009-02-21 13:44:28 UTC (rev 96914)
+++ z3c.layer.pagelet/trunk/CHANGES.txt 2009-02-21 13:53:27 UTC (rev 96915)
@@ -5,7 +5,10 @@
1.1.1 (unreleased)
------------------
-- Nothing changed yet.
+- **Security issue:** The traverser defined for
+ ``IPageletBrowserLayer`` was a trusted adapter, so the security
+ proxy got removed from each traversed object. Thus all sub-objects
+ were publically accessable, too.
1.1.0 (2009-02-14)
Modified: z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/__init__.py
===================================================================
--- z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/__init__.py 2009-02-21 13:44:28 UTC (rev 96914)
+++ z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/__init__.py 2009-02-21 13:53:27 UTC (rev 96915)
@@ -53,3 +53,10 @@
def __call__(self):
raise Exception('simply system error')
return u''
+
+
+class ContainerContentsPage(BrowserPage):
+ """Contents of a conatiner."""
+
+ def __call__(self):
+ return str([type(x) for x in self.context.values()])
Modified: z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/ftesting.zcml
===================================================================
--- z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/ftesting.zcml 2009-02-21 13:44:28 UTC (rev 96914)
+++ z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/ftesting.zcml 2009-02-21 13:53:27 UTC (rev 96915)
@@ -119,6 +119,14 @@
layer="z3c.layer.pagelet.IPageletBrowserLayer"
class=".SystemErrorPage"
/>
+
+ <browser:page
+ for="*"
+ name="container_contents.html"
+ permission="zope.View"
+ layer="z3c.layer.pagelet.IPageletBrowserLayer"
+ class=".ContainerContentsPage"
+ />
</configure>
Modified: z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/test_layer.py
===================================================================
--- z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/test_layer.py 2009-02-21 13:44:28 UTC (rev 96914)
+++ z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/tests/test_layer.py 2009-02-21 13:53:27 UTC (rev 96915)
@@ -1,6 +1,6 @@
##############################################################################
#
-# Copyright (c) 2007 Zope Foundation and Contributors.
+# Copyright (c) 2007-2009 Zope Foundation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
@@ -20,19 +20,27 @@
from zope.testing import renormalizing
from zope.app.testing import functional
+
functional.defineLayer('TestLayer', 'ftesting.zcml')
+
checker = renormalizing.RENormalizing([
(re.compile(r'httperror_seek_wrapper:', re.M), 'HTTPError:'),
])
+def create_suite(*args, **kw):
+ suite = functional.FunctionalDocFileSuite(*args, **kw)
+ suite.layer = TestLayer
+ return suite
+
+
def test_suite():
suite = unittest.TestSuite()
- s = functional.FunctionalDocFileSuite('../README.txt', checker=checker)
- s.layer = TestLayer
- suite.addTest(s)
+ suite.addTest(create_suite('../README.txt', checker=checker))
+ suite.addTest(create_suite('bugfixes.txt'))
return suite
+
if __name__ == '__main__':
unittest.main(defaultTest='test_suite')
Modified: z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/zope.traversing.browser.zcml
===================================================================
--- z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/zope.traversing.browser.zcml 2009-02-21 13:44:28 UTC (rev 96914)
+++ z3c.layer.pagelet/trunk/src/z3c/layer/pagelet/zope.traversing.browser.zcml 2009-02-21 13:53:27 UTC (rev 96915)
@@ -9,7 +9,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.publication.traversers.SimpleComponentTraverser"
permission="zope.Public"
- trusted="True"
/>
<adapter
@@ -18,7 +17,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.container.traversal.ItemTraverser"
permission="zope.Public"
- trusted="True"
/>
<adapter
@@ -27,7 +25,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.container.traversal.ItemTraverser"
permission="zope.Public"
- trusted="True"
/>
<view
More information about the Checkins
mailing list