AW: [Zope3-dev] Re: skin support for xmlrpc

Roger Ineichen dev at projekt01.ch
Sat Sep 15 11:35:20 EDT 2007 

Hi Christian

> Betreff: [Zope3-dev] Re: skin support for xmlrpc
> 
> On 2007-09-14 18:54:01 +0200, "Fred Drake" <fdrake at gmail.com> said:
> 
> > On 9/14/07, Roger Ineichen <dev at projekt01.ch> wrote:
> >> If you register views for a base request type, you 
> probably will open 
> >> a backdor in other projects. Because
> > 
> > I'm not advocating registering views for the base request types 
> > generally, but only the way to specify in the URL what the request 
> > type is.  Because sometimes we really do want completely 
> separate sets 
> > of XML-RPC (or whatever) interfaces.
> 
> Ok, then I suggest:
> 
> * Provide an IRequestType interface in zope.publisher
> * Provide an ++api++ traverser in zope.traversing which does 
> `getUtility(IRequestType, *name*)`.
> * define class IBrowserSkinType(IRequestType)
> * Leave ++skin++ for IBrowserSkinType or just make it the 
> same as ++api++
> * Keep layer="" on <xmlrpc:view>, <browser:page> etc.
> 
> Comments?


If I understand the concept correct. This is a builtin backdoor.

Doesn't this allow to bypass the Apache rewrite rule?
With: http://www.foobar.com/++api++xmlrpc/doSomething

If the rewrite rule in Apache is:
RewriteRule (/?.*)
http://localhost:8080/++skin++OnlyHere/++vh++https:www.foobar.com:443/++$1
[P,L]


Or does the ++api++ namespace recognize the skin?
Which means the url rewritten url is.
With: http://www.foobar.com/++skin++OnlyHere/++api++xmlrpc/doSomething

But then, do we need to regsiter the ++api++ for each 
layer? I guess this is not what you are asking for. right?

My main issue on this thread is allways the same:
Skins are a security layer. And don't bypass them,
then this let us use views which we don't like to
provide in a layer/skin.

I really don't understand this thread. Does nobody 
take care on default traversal APIs? I'm really
confused now. Probably I don't see soemthing or understand
it not correctly. Do you understand what I mean this 
this backdoor use case? Or I'm totaly wrong?

Regards
Roger Ineichen

> --
> Christian Zagrodnick
> 
> gocept gmbh & co. kg  .  forsterstrasse 29 . 06112 
> halle/saale www.gocept.com . fon. +49 345 12298894 . fax. +49 
> 345 12298891
> 
> 
> 
> _______________________________________________
> Zope3-dev mailing list
> Zope3-dev at zope.org
> Unsub: 
> http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch
> 
>

More information about the Zope3-dev mailing list