[Zope] Re: Security Hole in
ZPublisher.BaseRequest.BaseRequest.traverse?
Tres Seaver
tseaver at zope.com
Wed Feb 16 07:33:26 EST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Withers wrote:
| Hi Dieter,
|
| Dieter Maurer wrote:
|
|> When I remember right, you used a template to verify
|> the behaviour you expect Zope to have.
|>
|> But a standard template tries to access its client
|> (in your setup the protected folder) to show its "title/id".
|> And this fails, when the client does not grant "Access contents
|> information"
|> (in case "client" is a "Folder" as in your case).
|>
|> I suggest, you try again with an "Image" object instead of
|> a template or remove all references to "here" and "container"
|> in your (Page) template.
|
|
| Apologies, both you and Bart Hubbard, who pointed out the same
| reasoning, are completely correct. This feels like a pretty horrible
| security hole to me :-(
|
| What do other people think?
This is *by design*, Chris: it allows for "customers who have
customers" to set up access to subsites, without requiring that users
who can see the subsite to have *any* privileges at the layers above.
In Unixy terms, this is like making the parent directories "a+x" (they
can be traversed) without requiring that they be "a+r" (readable).
FWIW, Zope3 allows this choice to be pluggable, because traversal is
governed by view components, which are configured by default to check
access.
Tres.
- --
===============================================================
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCEz2WGqWXf00rNCgRAtxOAJ0SwRLFTE+SB2N8c8pr1CwCq2XCxgCfbgtd
tc2//3nDIqyF1+3OG7ReiAc=
=TDAe
-----END PGP SIGNATURE-----
More information about the Zope
mailing list