[Zope3-dev] security and adapters
Phillip J. Eby
pje at telecommunity.com
Mon Oct 6 16:15:39 EDT 2003
At 02:02 PM 10/6/03 -0500, Garrett Smith wrote:
>zapi.getAdapter is returning non-security-proxied objects, which can be
>used to bypass security for an object.
>
>Shouldn't adapters be proxied?
I might be a bit out of my depth here, but wouldn't that only give you
access to the adapter? I mean, if you adapt a proxied object, it's still
proxied, right?
Now, if you can access the adapter's methods' im_func.func_globals, and
thus get to unprotected builtins, that would certainly be a problem for
code running in restricted mode. But I thought the restricted mode
prevented access to such things?
More information about the Zope3-dev
mailing list