[Zope] Security Hole in ZPublisher.BaseRequest.BaseRequest.traverse?
Chris Withers
chris at simplistix.co.uk
Wed Feb 16 04:55:57 EST 2005
Hi Dieter,
Dieter Maurer wrote:
> When I remember right, you used a template to verify
> the behaviour you expect Zope to have.
>
> But a standard template tries to access its client
> (in your setup the protected folder) to show its "title/id".
> And this fails, when the client does not grant "Access contents information"
> (in case "client" is a "Folder" as in your case).
>
> I suggest, you try again with an "Image" object instead of
> a template or remove all references to "here" and "container"
> in your (Page) template.
Apologies, both you and Bart Hubbard, who pointed out the same
reasoning, are completely correct. This feels like a pretty horrible
security hole to me :-(
What do other people think?
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope
mailing list