-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens Vagelpohl wrote:
On 22 Nov 2005, at 20:08, Dieter Maurer wrote:
You have lost the thread's start:
George's problem has been that he could not move an object in an *EXTERNAL METHOD*, i.e. in trusted filesystem code.
He would have the same problem in a filesystem product.
The problem is that "CopySupport" performs a local security check (in "_verifyObjectPaste") independent from its caller (it does not matter whether the rename/move/copy was called from trusted or untrusted code).
With appropriate proxy roles, an untrusted Python Script can perform some rename/move/copy that trusted code is unable to perform.
I assume you can agree that this is a somewhat unsane situation...
Yes, that's very odd... thanks for reminding me of the thread's start!
The actual problem here is a confusion of "authorization" with "containment constraints": the CopySupport code is using a single check to test both, which makes it impossible to do the Right Thing (TM): either the proxy roles should be taken into account, in which case the containment constraint may be violated, or they shouldn't, in which case a proxy-role-granted script cannot be used to perform a "controlled" paste which would otherwise not be authorized. Tres. - -- =================================================================== Tres Seaver +1 202-558-7113 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDg5LI+gerLs4ltQ4RAtblAJwNsXuSMgrSmuk5Jkx2dNvq5XcF+ACfVfli kWb4OErhWp0Zm95oGrNK+6o= =Thwe -----END PGP SIGNATURE-----