[Zope3-dev] queryAdapter via __conform__

Jim Fulton jim at zope.com
Tue Feb 24 07:09:15 EST 2004 

Dominik Huber wrote:
> 

...

>>Why is a security-proxied adapter a problem?
> 
> 
> I'm not against security-proxied adapters but then all adapters should be 
 > security-proxied if possible.

I don't agree.

> My sole objection was that the current implementation
 > does not provide a consistent way. IMO the invocation via __coform__ should provide
 > an alternative (similar) way to adapted an object.

But __conform__ is a very different mechanism. Given that it is
a very differtent mechanism, I'm not surprised that the way things
are proxied is different.

> I ignored the securtiy aspect (B.3), exuse me, but the the only
 > consistent way without security concerns would be to security-proxy
 > all adapters (via global and conform invocation B.2 and B.4).
 > This conclusion bases on two scenarios: a sample adapter that references
 > a proxied object (A) and a sample adapter that references an unproxied object (B).
> 
> IMO already the current implementation could cause the same security hole 
 > if sombody stores a unproxied reference to the object inside the adapter (B.1).

But for someone to do this, they'd need an unproxied reference to the object]
in the first place, in which they could do what they wanted anyway.  This introduces
no new hole.  The only way that code can get an unpoxied reference to an object
is if the code is trusted.

> 
> A: sample adapter with s._object reference to the proxied object
> ----------------------------------------------------------------
> 
> 1. via global lookup (current implementation): adapted isProxy: False, object isProxy: True
> *2. via global lookup (security-proxied adapter): adapted isProxy: True, object isProxy: True
> 3. via conform lookup (incl. removeProxies): adapted isProxy: False, object isProxy: False
> 4. via conform lookup (excl. removeProxies): adapted isProxy: True, object isProxy: True
> 
> B: sample adapter with s._object reference to the unproxied object
> ------------------------------------------------------------------
> 
> 1. via global lookup (current implementation): adapted isProxy: False, object isProxy: False
> *2. via global lookup (security-proxied adapter): adapted isProxy: True, object isProxy: True
> 3. via conform lookup (incl. removeProxies): adapted isProxy: False, object isProxy: False
> 4. via conform lookup (excl. removeProxies): adapted isProxy: True, object isProxy: True
> 
> *hypothetical

What is important is that the underlying content is protected.
The current schema achieves that.  Adding extra proxies around adapters
that adapt proxied objects doesn't improve the protection. Removing proxies
around adapters of unproxied objects removes needed protection.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list