[Zope3-dev] Re: Security: getAdapter(self, ISomething) is bad

Jim Fulton jim@zope.com
Tue, 29 Apr 2003 07:26:40 -0400 

Steve Alexander wrote:
> Most calls to getAdapter (or queryAdapter) are made on a 
> content-object's behalf.
> 
>   adapter = getAdapter(obj, ISomething)
> 
> In this case, 'obj' is usually security-proxied and context-wrapped.
> 
> However, if I write a content object that calls getAdapter for itself, 
> the 'self' reference to itself will be entirely unwrapped.
> (Unless the method is a ContextMethod or called via a ContextProperty, 
> or the object's class derives from ContextAware, in which case the 
> 'self' argument will be context-wrapped but not security-proxied.)
> 
> So, the adapter will be passed an unwrapped object as its context.
> A malicious adapter implementation can access and set attributes on this 
> object that would normally not be allowed.
> 
> Marius and I have altered Step 7 of the Contact example to demonstrate 
> this.

...

> In this example, someone has (for benign but, in this case, not 
> immediately useful reasons) added a 'getAdapter(self, IPostalInfo)' call 
> to the 'first' method of Contact.
> 
> Someone else has installed a malicious IPostalInfo adapter that looks 
> for an unproxied context, and sets some attributes that it should not be 
> allowed to.
> 
> 
> It is unclear how best to solve this.
> Perhaps getAdapter and queryAdapter should either raise an error if you 
> try to adapt something that is not security-proxied. (This will, of 
> course, break unit tests...)
> Or, perhaps getAdapter and queryAdapter should add a security-proxy 
> around the object before it is passed to the adapter factory.
> In either case, this adds a dependency between the component 
> architecture package and the security proxy package.

I wouldn't want to add security proxies for contexts of *all* adapters.
I suggest we add security proxies to contexts of untrusted adapters only.

Sites that allow creation of persistent modules by untrusted
users would cause such modules to be untrusted. We would arrange that any
data passed into those modules to be security proxied.

Jim

-- 
Jim Fulton           mailto:jim@zope.com       Python Powered!
CTO                  (703) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org