[Zope3-dev] Re: security and adapters
Garrett Smith
garrett at mojave-corp.com
Mon Oct 6 16:45:55 EDT 2003
Phillip J. Eby wrote:
> At 02:02 PM 10/6/03 -0500, Garrett Smith wrote:
>
>> zapi.getAdapter is returning non-security-proxied objects, which can
>> be used to bypass security for an object.
>>
>> Shouldn't adapters be proxied?
>
>
> I might be a bit out of my depth here, but wouldn't that only give you
> access to the adapter? I mean, if you adapt a proxied object, it's
> still proxied, right?
If the object being adapted implements the interface being requested,
the object will be proxied. If a new adapter object is created via the
factory, that object is not proxied.
> Now, if you can access the adapter's methods' im_func.func_globals, and
> thus get to unprotected builtins, that would certainly be a problem for
> code running in restricted mode. But I thought the restricted mode
> prevented access to such things?
I believe that's the intent of restricted mode.
But I'm inclined to think that any adapter should be proxied, in the
same way that view context objects are proxied. It's easy for views to
unknowingly perform operations that would otherwise be restricted were
the adapters proxied. For example, an adapter that provides IAnnotations
might update an attribute or access metadata stored in a database - the
view has no idea what it's doing wrt permissions.
I'm definitely out of my depth here - I'm sure there's a lot more to the
issue that I'm raising. What I do know is that it's difficult to lock
down security related issues with our app because adapters aren't proxied.
-- Garrett
More information about the Zope3-dev
mailing list