AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer
discussionfinished)
Stephan Richter
srichter at cosmos.phy.tufts.edu
Tue Dec 18 09:16:24 EST 2007
On Tuesday 18 December 2007, Jim Fulton wrote:
> > If we register "absolute_url" in a layer which isn't
> > used in a skin, then this view is not available as
> > traversable view because of the missing layer/named skin
> > configuration.
>
> Which does nothing to "protect" you from components registered for the
> default layer or for IBrowserRequest.
Yes, because in our code we never ever expose the registrations in the default
layer. We consider that layer hostile. :-) (Eventually we hope to rid
ourselves from even importing any configuration that registers into the
browser layer, but the Zoep packages need some refactoring to do this in a
sane way.)
IBrowserRequest is a big problem, since it is the base interface for all
layers. I used to scan the ZCML for components registered for
IBrowserRequest. I have not done this in a while, but should make it a habit
again. I hope that security analysis tools, such as z3c.securitytool will
eventually help us identify those problems.
Regards,
Stephan
--
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
More information about the Zope-Dev
mailing list