[Checkins] SVN: z3c.layer.minimal/branches/1.0/ backport security fix from z3c.layer.pagelet

Christophe Combelles ccomb at free.fr
Sat Apr 17 18:59:31 EDT 2010


Log message for revision 111019:
  backport security fix from z3c.layer.pagelet
  

Changed:
  U   z3c.layer.minimal/branches/1.0/CHANGES.txt
  U   z3c.layer.minimal/branches/1.0/setup.py
  U   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt
  U   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py
  A   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt
  U   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml
  U   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py
  U   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml
  U   z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml

-=-
Modified: z3c.layer.minimal/branches/1.0/CHANGES.txt
===================================================================
--- z3c.layer.minimal/branches/1.0/CHANGES.txt	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/CHANGES.txt	2010-04-17 22:59:31 UTC (rev 111019)
@@ -2,6 +2,18 @@
 CHANGES
 =======
 
+1.0.2 (2010-04-18)
+------------------
+
+- **Security issue:** The traverser defined for
+  ``IPageletBrowserLayer`` was a trusted adapter, so the security
+  proxy got removed from each traversed object. Thus all sub-objects
+  were publically accessable, too.
+
+  Making this change might BREAK your application!
+  That means if security is not well declared.
+
+
 1.0.1 (2008-01-24)
 ------------------
 
@@ -34,7 +46,7 @@
 
 - Bug: Fixed test failures due to depency updates.
 
-- Restructure: Fixed deprecation warninf for ``ZopeSecurityPolicy``.
+- Restructure: Fixed deprecation warning for ``ZopeSecurityPolicy``.
 
 
 0.2.1 (2007-??-??)

Modified: z3c.layer.minimal/branches/1.0/setup.py
===================================================================
--- z3c.layer.minimal/branches/1.0/setup.py	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/setup.py	2010-04-17 22:59:31 UTC (rev 111019)
@@ -26,7 +26,7 @@
 
 setup(
     name = 'z3c.layer.minimal',
-    version = '1.0.1',
+    version = '1.0.2',
     author='Zope Foundation and Contributors',
     author_email = "zope-dev at zope.org",
     description = "Minimal layer setup for Zope3",

Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/README.txt	2010-04-17 22:59:31 UTC (rev 111019)
@@ -3,17 +3,17 @@
 ================================
 
 This package contains the minimal layer. This layer supports a correct set of
-component registration and can be used for inheritation in custom skins.
+component registration and can be used for inheritance in custom skins.
 
 Right now the default implementation in Zope3 has different restriction in the
-traversal concept and use to much registration on the default layer.
+traversal concept and uses to many registrations on the default layer.
 
 
 ``IMinimalBrowserLayer`` Interface
 ----------------------------------
 
 The minimal layer is useful for build custom presentation skins without access
-to ZMI menus like `zmi_views` etc. This means there is no menu item registred
+to ZMI menus like `zmi_views` etc. This means there is no menu item registered
 if you use this layer.
 
 This layer is NOT derived from ``IDefaultBrowserLayer``. Therefore it provides

Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/__init__.py	2010-04-17 22:59:31 UTC (rev 111019)
@@ -44,7 +44,7 @@
         context = self.context
         request = self.request
         for name in self.macro_pages:
-            page = zope.component.getMultiAdapter((context, request), 
+            page = zope.component.getMultiAdapter((context, request),
                 name=name)
             try:
                 v = page[key]
@@ -76,4 +76,12 @@
 
     def __call__(self):
         raise Exception('simply system error')
-        return u''
\ No newline at end of file
+        return u''
+
+
+class ContainerContentsPage(BrowserPage):
+    """Contents of a conatiner."""
+
+    def __call__(self):
+        return str([type(x) for x in self.context.values()])
+

Added: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt	                        (rev 0)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/bugfixes.txt	2010-04-17 22:59:31 UTC (rev 111019)
@@ -0,0 +1,27 @@
+==========
+ Bugfixes
+==========
+
+Traversed objects where not security proxied
+============================================
+
+When an object got traversed its security proxy was removed, so its
+sub-objects could be publically accessed. To show that this behavior
+was fixed we put a folder into the root folder and look at its
+contents using a view:
+
+  >>> import zope.app.folder
+  >>> getRootFolder()['test'] = zope.app.folder.Folder()
+
+  >>> from zope.testbrowser.testing import Browser
+  >>> manager = Browser()
+  >>> manager.addHeader('Authorization', 'Basic mgr:mgrpw')
+  >>> skinURL = 'http://localhost/++skin++MinimalTesting'
+  >>> manager.open(skinURL + '/container_contents.html')
+
+The view displays the types of the content objects inside the root
+folder. The content objects are security proxied:
+
+  >>> print manager.contents
+  [<type 'zope.security._proxy._Proxy'>]
+

Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/ftesting.zcml	2010-04-17 22:59:31 UTC (rev 111019)
@@ -129,4 +129,12 @@
       class=".SystemErrorPage"
       />
 
+  <browser:page
+      for="*"
+      name="container_contents.html"
+      permission="zope.View"
+      layer="z3c.layer.minimal.IMinimalBrowserLayer"
+      class=".ContainerContentsPage"
+      />
+
 </configure>

Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/tests/test_layer.py	2010-04-17 22:59:31 UTC (rev 111019)
@@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Copyright (c) 2005 Zope Foundation and Contributors.
+# Copyright (c) 2007-2010 Zope Foundation and Contributors.
 # All Rights Reserved.
 #
 # This software is subject to the provisions of the Zope Public License,
@@ -15,20 +15,32 @@
 $Id: test_layer.py 73898 2007-03-29 09:10:19Z shh $
 """
 
+import re
 import unittest
+from zope.testing import renormalizing
 from zope.app.testing import functional
 
+
 functional.defineLayer('TestLayer', 'ftesting.zcml')
 
 
+checker = renormalizing.RENormalizing([
+    (re.compile(r'httperror_seek_wrapper:', re.M), 'HTTPError:'),
+    ])
+
+
+def create_suite(*args, **kw):
+    suite = functional.FunctionalDocFileSuite(*args, **kw)
+    suite.layer = TestLayer
+    return suite
+
+
 def test_suite():
     suite = unittest.TestSuite()
+    suite.addTest(create_suite('../README.txt', checker=checker))
+    suite.addTest(create_suite('bugfixes.txt'))
+    return suite
 
-    s = functional.FunctionalDocFileSuite('../README.txt')
-    s.layer = TestLayer
-    suite.addTest(s)
 
-    return suite
-
 if __name__ == '__main__':
     unittest.main(defaultTest='test_suite')

Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.app.publication.zcml	2010-04-17 22:59:31 UTC (rev 111019)
@@ -1,14 +1,14 @@
 <configure
     xmlns="http://namespaces.zope.org/zope"
-    xmlns:browser="http://namespaces.zope.org/browser"
     i18n_domain="z3c">
 
-  <browser:view
+  <view
       for="zope.app.publication.interfaces.IFileContent"
+      type="z3c.layer.minimal.IMinimalBrowserLayer"
       provides="zope.publisher.interfaces.browser.IBrowserPublisher"
-      class="zope.app.publication.traversers.FileContentTraverser"
+      factory="zope.app.publication.traversers.FileContentTraverser"
       permission="zope.Public"
-      layer="z3c.layer.minimal.IMinimalBrowserLayer"
+      allowed_interface="zope.publisher.interfaces.browser.IBrowserPublisher"
       />
 
 </configure>

Modified: z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml
===================================================================
--- z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml	2010-04-17 21:53:40 UTC (rev 111018)
+++ z3c.layer.minimal/branches/1.0/src/z3c/layer/minimal/zope.traversing.browser.zcml	2010-04-17 22:59:31 UTC (rev 111019)
@@ -9,7 +9,6 @@
       provides="zope.publisher.interfaces.browser.IBrowserPublisher"
       factory="zope.app.publication.traversers.SimpleComponentTraverser"
       permission="zope.Public"
-      trusted="True"
       />
 
   <adapter
@@ -18,7 +17,6 @@
       provides="zope.publisher.interfaces.browser.IBrowserPublisher"
       factory="zope.app.container.traversal.ItemTraverser"
       permission="zope.Public"
-      trusted="True"
       />
 
   <adapter
@@ -27,7 +25,6 @@
       provides="zope.publisher.interfaces.browser.IBrowserPublisher"
       factory="zope.app.container.traversal.ItemTraverser"
       permission="zope.Public"
-      trusted="True"
       />
 
   <view



More information about the checkins mailing list