[Zope3-dev] queryAdapter via __conform__
Dominik Huber
dominik.huber at projekt01.ch
Tue Feb 24 06:06:24 EST 2004
Jim Fulton wrote:
>
> Dominik Huber wrote:
> > If queryAdapter is called by a view, the result is an unproxied
> adapted object.
>
> Well, if the object being adaptged is proxied, then queryAdapter will
> either return the object itself, which would be proxied, or it
> would return
> an adapter of the proxied object, in which case you have an adapter
> of a proxy, and the underlying object is protected.
I comprehend this the same way.
> > If __conform__ is invoked during this call, the resulting
> adapted object is proxied.
>
> If you are getting a proxy from __conform__, then the underlying object
> was proxied and the resulting adapter should be proxied.
That is the fact I observed too.
> > I would suggest to extend queryAdapter by a removeAllProxies to
> provid a consistent behavior. Thus for example
> > the __conform__ mechansim could also used in the widget
> framework (editview).
>
> No.
>
> > I will checking this changes if nobody has objections.
>
> I object. Don't check this change in.
> Such a change would cause __conform__ to be a security hole.
>
> Why is a security-proxied adapter a problem?
I'm not against security-proxied adapters but then all adapters should be security-proxied if possible. My sole objection was that the current implementation does not provide a consistent way. IMO the invocation via __coform__ should provide an alternative (similar) way to adapted an object.
I ignored the securtiy aspect (B.3), exuse me, but the the only consistent way without security concerns would be to security-proxy all adapters (via global and conform invocation B.2 and B.4). This conclusion bases on two scenarios: a sample adapter that references a proxied object (A) and a sample adapter that references an unproxied object (B).
IMO already the current implementation could cause the same security hole if sombody stores a unproxied reference to the object inside the adapter (B.1).
A: sample adapter with s._object reference to the proxied object
----------------------------------------------------------------
1. via global lookup (current implementation): adapted isProxy: False, object isProxy: True
*2. via global lookup (security-proxied adapter): adapted isProxy: True, object isProxy: True
3. via conform lookup (incl. removeProxies): adapted isProxy: False, object isProxy: False
4. via conform lookup (excl. removeProxies): adapted isProxy: True, object isProxy: True
B: sample adapter with s._object reference to the unproxied object
------------------------------------------------------------------
1. via global lookup (current implementation): adapted isProxy: False, object isProxy: False
*2. via global lookup (security-proxied adapter): adapted isProxy: True, object isProxy: True
3. via conform lookup (incl. removeProxies): adapted isProxy: False, object isProxy: False
4. via conform lookup (excl. removeProxies): adapted isProxy: True, object isProxy: True
*hypothetical
regards,
dominik
More information about the Zope3-dev
mailing list