[Zope-Checkins] SVN: Zope/trunk/src/Zope2/App/ Merge security fix from 2.13 branch

Hanno Schlichting hannosch at hannosch.eu
Tue Jun 28 11:02:22 EDT 2011 

Log message for revision 122024:
  Merge security fix from 2.13 branch
  

Changed:
  U   Zope/trunk/src/Zope2/App/configure.zcml
  U   Zope/trunk/src/Zope2/App/exclude.zcml
  A   Zope/trunk/src/Zope2/App/traversing.py
  A   Zope/trunk/src/Zope2/App/traversing.zcml

-=-
Modified: Zope/trunk/src/Zope2/App/configure.zcml
===================================================================
--- Zope/trunk/src/Zope2/App/configure.zcml	2011-06-28 15:01:56 UTC (rev 122023)
+++ Zope/trunk/src/Zope2/App/configure.zcml	2011-06-28 15:02:22 UTC (rev 122024)
@@ -5,7 +5,7 @@
   <include file="meta.zcml" />
   <include package="AccessControl" file="permissions.zcml" />
 
-  <include package="zope.traversing" />
+  <include file="traversing.zcml" />
   <include package="OFS "/>
   <include package="ZPublisher" />
 

Modified: Zope/trunk/src/Zope2/App/exclude.zcml
===================================================================
--- Zope/trunk/src/Zope2/App/exclude.zcml	2011-06-28 15:01:56 UTC (rev 122023)
+++ Zope/trunk/src/Zope2/App/exclude.zcml	2011-06-28 15:02:22 UTC (rev 122024)
@@ -3,6 +3,7 @@
   <exclude package="zope.browserpage" file="meta.zcml" />
   <exclude package="zope.browsermenu" file="meta.zcml" />
   <exclude package="zope.browserresource" file="meta.zcml" />
+  <exclude package="zope.traversing" />
   <exclude package="zope.publisher" file="meta.zcml" />
   <exclude package="zope.viewlet" file="meta.zcml" />
 

Added: Zope/trunk/src/Zope2/App/traversing.py
===================================================================
--- Zope/trunk/src/Zope2/App/traversing.py	                        (rev 0)
+++ Zope/trunk/src/Zope2/App/traversing.py	2011-06-28 15:02:22 UTC (rev 122024)
@@ -0,0 +1,14 @@
+from zExceptions import Forbidden
+from zope.interface.interface import InterfaceClass
+from zope.traversing import namespace
+
+
+class resource(namespace.view):
+
+    def traverse(self, name, ignored):
+        # The context is important here, since it becomes the parent of the
+        # resource, which is needed to generate the absolute URL.
+        res = namespace.getResource(self.context, name, self.request)
+        if isinstance(res, InterfaceClass):
+            raise Forbidden('Access to traverser is forbidden.')
+        return res


Property changes on: Zope/trunk/src/Zope2/App/traversing.py
___________________________________________________________________
Added: svn:eol-style
   + native

Added: Zope/trunk/src/Zope2/App/traversing.zcml
===================================================================
--- Zope/trunk/src/Zope2/App/traversing.zcml	                        (rev 0)
+++ Zope/trunk/src/Zope2/App/traversing.zcml	2011-06-28 15:02:22 UTC (rev 122024)
@@ -0,0 +1,61 @@
+<configure xmlns="http://namespaces.zope.org/zope">
+
+  <!-- define default namespace adapters, etc. -->
+  <adapter
+      for="*"
+      factory="zope.traversing.adapters.Traverser"
+      provides="zope.traversing.interfaces.ITraverser" />
+
+  <adapter
+      for="*"
+      factory="zope.traversing.adapters.DefaultTraversable"
+      provides="zope.traversing.interfaces.ITraversable" />
+
+  <adapter
+      name="etc"
+      for="*"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="zope.traversing.namespace.etc"
+      />
+  <adapter
+      name="etc"
+      for="* zope.publisher.interfaces.IRequest"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="zope.traversing.namespace.etc"
+      />
+
+  <adapter
+      name="adapter"
+      for="*"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="zope.traversing.namespace.adapter"
+      />
+  <adapter
+      name="adapter"
+      for="* zope.publisher.interfaces.IRequest"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="zope.traversing.namespace.adapter"
+      />
+
+  <adapter
+      name="skin"
+      for="* zope.publisher.interfaces.IRequest"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="zope.traversing.namespace.skin"
+      />
+
+  <adapter
+      name="resource"
+      for="* zope.publisher.interfaces.IRequest"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="Zope2.App.traversing.resource"
+      />
+
+  <adapter
+      name="view"
+      for="* zope.publisher.interfaces.IRequest"
+      provides="zope.traversing.interfaces.ITraversable"
+      factory="zope.traversing.namespace.view"
+      />
+
+</configure>


Property changes on: Zope/trunk/src/Zope2/App/traversing.zcml
___________________________________________________________________
Added: svn:eol-style
   + native

More information about the Zope-Checkins mailing list