[Zope3-Users] Security Problem in z3c.layer/pagelet
Hermann Himmelbauer
dusty at qwer.tk
Wed Feb 6 14:02:38 EST 2008
Hi,
During the development of my application I suddenly noticed that my
context-objects had no security proxy around them, which is bad, as then data
is open to everyone.
After searching and fiddling around, I recognized that this happens when I use
a layer/skin that inherits from z3c.layer.pagelet.IPageletBrowserLayer. If I
inherit from e.g. zope.publisher.interfaces.browser.IBrowserRequest, things
work.
To prove this, I attached a minimal demonstration to this mail - in the
__init__.py file, the offending code is demonstrated. After installing and
adding the object via the ZMI, one can access these links:
http://localhost:8080/MyappSite/index.html
http://localhost:8080/++skin++Myapp/MyappSite/index1.html
It can be seen, that the second link, which is based on a skin inheriting from
the IPageletBrowserLayer, has no security proxies around the context.
Interestingly, I develop another application, which is also based on
IPageletBrowserLayer which does not suffer from this problem, so I don't
really understand what's happening. I tried to debug the problem but I was
stuck at the implementation of queryMultiAdapter which seems to somehow
magically remove the security Proxy.
I tested this with Python 2.4.4, Zope-3.4.0b2 and Zope-3.4.0c1 and the current
SVN-versions of z3c.layer.
Do you have any clue how to solve this problem?
Best Regards,
Hermann
--
hermann at qwer.tk
GPG key ID: 299893C7 (on keyservers)
FP: 0124 2584 8809 EF2A DBF9 4902 64B4 D16B 2998 93C7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: myapp.tgz
Type: application/x-tgz
Size: 2283 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope3-users/attachments/20080206/771c0d74/myapp.bin
More information about the Zope3-users
mailing list