AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

Stephan Richter srichter at cosmos.phy.tufts.edu
Tue Dec 18 09:16:24 EST 2007


On Tuesday 18 December 2007, Jim Fulton wrote:
> > If we register "absolute_url" in a layer which isn't
> > used in a skin, then this view is not available as
> > traversable view because of the missing layer/named skin
> > configuration.
>
> Which does nothing to "protect" you from components registered for the  
> default layer or for IBrowserRequest.

Yes, because in our code we never ever expose the registrations in the default 
layer. We consider that layer hostile. :-) (Eventually we hope to rid 
ourselves from even importing any configuration that registers into the 
browser layer, but the Zoep packages need some refactoring to do this in a 
sane way.)

IBrowserRequest is a big problem, since it is the base interface for all 
layers. I used to scan the ZCML for components registered for 
IBrowserRequest. I have not done this in a while, but should make it a habit 
again. I hope that security analysis tools, such as z3c.securitytool will 
eventually help us identify those problems.

Regards,
Stephan
-- 
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training


More information about the Zope-Dev mailing list