[Zope] Security Hole in ZPublisher.BaseRequest.BaseRequest.traverse?

Chris Withers chris at simplistix.co.uk
Wed Feb 16 04:55:57 EST 2005


Hi Dieter,

Dieter Maurer wrote:
> When I remember right, you used a template to verify
> the behaviour you expect Zope to have.
> 
> But a standard template tries to access its client
> (in your setup the protected folder) to show its "title/id".
> And this fails, when the client does not grant "Access contents information"
> (in case "client" is a "Folder" as in your case).
> 
> I suggest, you try again with an "Image" object instead of
> a template or remove all references to "here" and "container"
> in your (Page) template.

Apologies, both you and Bart Hubbard, who pointed out the same 
reasoning, are completely correct. This feels like a pretty horrible 
security hole to me :-(

What do other people think?

cheers,

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk


More information about the Zope mailing list