[Checkins] SVN: z3c.layer.minimal/branches/1.0/ backport security fix from z3c.layer.pagelet
Christophe Combelles
ccomb at free.fr
Sat Apr 17 18:59:31 EDT 2010
Log message for revision 111019:
backport security fix from z3c.layer.pagelet
Changed:
U z3c.layer.minimal/branches/1.0/CHANGES.txt
U z3c.layer.minimal/branches/1.0/setup.py
U z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt
U z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py
A z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt
U z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml
U z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py
U z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml
U z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml
-=-
Modified: z3c.layer.minimal/branches/1.0/CHANGES.txt
===================================================================
--- z3c.layer.minimal/branches/1.0/CHANGES.txt 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/CHANGES.txt 2010-04-17 22:59:31 UTC (rev 111019)
@@ -2,6 +2,18 @@
CHANGES
=======
+1.0.2 (2010-04-18)
+------------------
+
+- **Security issue:** The traverser defined for
+ ``IPageletBrowserLayer`` was a trusted adapter, so the security
+ proxy got removed from each traversed object. Thus all sub-objects
+ were publically accessable, too.
+
+ Making this change might BREAK your application!
+ That means if security is not well declared.
+
+
1.0.1 (2008-01-24)
------------------
@@ -34,7 +46,7 @@
- Bug: Fixed test failures due to depency updates.
-- Restructure: Fixed deprecation warninf for ``ZopeSecurityPolicy``.
+- Restructure: Fixed deprecation warning for ``ZopeSecurityPolicy``.
0.2.1 (2007-??-??)
Modified: z3c.layer.minimal/branches/1.0/setup.py
===================================================================
--- z3c.layer.minimal/branches/1.0/setup.py 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/setup.py 2010-04-17 22:59:31 UTC (rev 111019)
@@ -26,7 +26,7 @@
setup(
name = 'z3c.layer.minimal',
- version = '1.0.1',
+ version = '1.0.2',
author='Zope Foundation and Contributors',
author_email = "zope-dev at zope.org",
description = "Minimal layer setup for Zope3",
Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt 2010-04-17 22:59:31 UTC (rev 111019)
@@ -3,17 +3,17 @@
================================
This package contains the minimal layer. This layer supports a correct set of
-component registration and can be used for inheritation in custom skins.
+component registration and can be used for inheritance in custom skins.
Right now the default implementation in Zope3 has different restriction in the
-traversal concept and use to much registration on the default layer.
+traversal concept and uses to many registrations on the default layer.
``IMinimalBrowserLayer`` Interface
----------------------------------
The minimal layer is useful for build custom presentation skins without access
-to ZMI menus like `zmi_views` etc. This means there is no menu item registred
+to ZMI menus like `zmi_views` etc. This means there is no menu item registered
if you use this layer.
This layer is NOT derived from ``IDefaultBrowserLayer``. Therefore it provides
Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py 2010-04-17 22:59:31 UTC (rev 111019)
@@ -44,7 +44,7 @@
context = self.context
request = self.request
for name in self.macro_pages:
- page = zope.component.getMultiAdapter((context, request),
+ page = zope.component.getMultiAdapter((context, request),
name=name)
try:
v = page[key]
@@ -76,4 +76,12 @@
def __call__(self):
raise Exception('simply system error')
- return u''
\ No newline at end of file
+ return u''
+
+
+class ContainerContentsPage(BrowserPage):
+ """Contents of a conatiner."""
+
+ def __call__(self):
+ return str([type(x) for x in self.context.values()])
+
Added: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt (rev 0)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt 2010-04-17 22:59:31 UTC (rev 111019)
@@ -0,0 +1,27 @@
+==========
+ Bugfixes
+==========
+
+Traversed objects where not security proxied
+============================================
+
+When an object got traversed its security proxy was removed, so its
+sub-objects could be publically accessed. To show that this behavior
+was fixed we put a folder into the root folder and look at its
+contents using a view:
+
+ >>> import zope.app.folder
+ >>> getRootFolder()['test'] = zope.app.folder.Folder()
+
+ >>> from zope.testbrowser.testing import Browser
+ >>> manager = Browser()
+ >>> manager.addHeader('Authorization', 'Basic mgr:mgrpw')
+ >>> skinURL = 'http://localhost/++skin++MinimalTesting'
+ >>> manager.open(skinURL + '/container_contents.html')
+
+The view displays the types of the content objects inside the root
+folder. The content objects are security proxied:
+
+ >>> print manager.contents
+ [<type 'zope.security._proxy._Proxy'>]
+
Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml 2010-04-17 22:59:31 UTC (rev 111019)
@@ -129,4 +129,12 @@
class=".SystemErrorPage"
/>
+ <browser:page
+ for="*"
+ name="container_contents.html"
+ permission="zope.View"
+ layer="z3c.layer.minimal.IMinimalBrowserLayer"
+ class=".ContainerContentsPage"
+ />
+
</configure>
Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py 2010-04-17 22:59:31 UTC (rev 111019)
@@ -1,6 +1,6 @@
##############################################################################
#
-# Copyright (c) 2005 Zope Foundation and Contributors.
+# Copyright (c) 2007-2010 Zope Foundation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
@@ -15,20 +15,32 @@
$Id: test_layer.py 73898 2007-03-29 09:10:19Z shh $
"""
+import re
import unittest
+from zope.testing import renormalizing
from zope.app.testing import functional
+
functional.defineLayer('TestLayer', 'ftesting.zcml')
+checker = renormalizing.RENormalizing([
+ (re.compile(r'httperror_seek_wrapper:', re.M), 'HTTPError:'),
+ ])
+
+
+def create_suite(*args, **kw):
+ suite = functional.FunctionalDocFileSuite(*args, **kw)
+ suite.layer = TestLayer
+ return suite
+
+
def test_suite():
suite = unittest.TestSuite()
+ suite.addTest(create_suite('../README.txt', checker=checker))
+ suite.addTest(create_suite('bugfixes.txt'))
+ return suite
- s = functional.FunctionalDocFileSuite('../README.txt')
- s.layer = TestLayer
- suite.addTest(s)
- return suite
-
if __name__ == '__main__':
unittest.main(defaultTest='test_suite')
Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml 2010-04-17 22:59:31 UTC (rev 111019)
@@ -1,14 +1,14 @@
<configure
xmlns="http://namespaces.zope.org/zope"
- xmlns:browser="http://namespaces.zope.org/browser"
i18n_domain="z3c">
- <browser:view
+ <view
for="zope.app.publication.interfaces.IFileContent"
+ type="z3c.layer.minimal.IMinimalBrowserLayer"
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
- class="zope.app.publication.traversers.FileContentTraverser"
+ factory="zope.app.publication.traversers.FileContentTraverser"
permission="zope.Public"
- layer="z3c.layer.minimal.IMinimalBrowserLayer"
+ allowed_interface="zope.publisher.interfaces.browser.IBrowserPublisher"
/>
</configure>
Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml 2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml 2010-04-17 22:59:31 UTC (rev 111019)
@@ -9,7 +9,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.publication.traversers.SimpleComponentTraverser"
permission="zope.Public"
- trusted="True"
/>
<adapter
@@ -18,7 +17,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.container.traversal.ItemTraverser"
permission="zope.Public"
- trusted="True"
/>
<adapter
@@ -27,7 +25,6 @@
provides="zope.publisher.interfaces.browser.IBrowserPublisher"
factory="zope.app.container.traversal.ItemTraverser"
permission="zope.Public"
- trusted="True"
/>
<view
More information about the checkins
mailing list