[Zope] Silly question

Chris McDonough chrism at plope.com
Thu Jun 2 17:33:40 EDT 2005


Yup.

FWIW, the actual bit of code that would need to change is around line
299 of ZPublisher/BaseRequest.py:

                if entry_name[:1]=='_':
                    if debug_mode:
                        return response.debugError(
                          "Object name begins with an underscore at: %s"
% URL)
                    else: return response.forbiddenError(entry_name)

Those five lines are pretty important, and though a patch might be
small, the impact of any change is potentially very large.  I probably
wouldn't be able to spare the time to review any patch for inclusion in
mainline Zope that allowed underscore traversal from a security
perspective just because I'd be paranoid enough to need to do a lot of
work to properly do the review.  OTOH, you can probably get what you
want by patching your source locally.

- C


On Thu, 2005-06-02 at 16:34 -0400, Dan Pozmanter wrote:
> The name could change easily enough.
> 
> How about __bobo_always_allow__
> 
> Which can either be:
> None
> A List of traversable items
> A method that takes the path, and returns whether or not it is
> traversable.
> 
> So for a path p:
> 
> if p[0] == '_':
> 	if p_object.__bobo_always_allow__:
>       	if type(p_object.__bobo_always_allow__) is type([]):
>       		if p in p_object.__bobo_always_allow__:
> 				#allow
> 			else:
> 				#Do what is normally done for '_' bits.
> 		else:
> 			if p_object.__bobo_always_allow__(p):
> 				#allow
> 			else:
> 				#Do what is normally done for '_' bits.	
> 	else:
>       	#Do what is normally done for '_' bits.
> 
> Something vaguely like that.
> 
> That way you could either specify the exact items that start with '_',
> or have a method determine it on the fly.
> 
> This way you would not automatically make all attributes that start with
> an underscore
> accessible, and the developer could specify exceptions.
> 
> -----Original Message-----
> From: Chris McDonough [mailto:chrism at plope.com] 
> Sent: Thursday, June 02, 2005 4:15 PM
> To: Dan Pozmanter
> Cc: zope at zope.org
> Subject: Re: [Zope] Silly question
> 
> The DWIM of not disallowing traversal of underscore names is useful
> (because it makes it easy to conventionally mark attrs as private) but
> it can definitely be a drag if you really do want to publish something
> that begins with an underscore; this happens a lot when you need to deal
> with allowing uploads of arbitrary filenames.
> 
> It might be useful to add something like you propose, except I might
> take exception to the name "isTraversable" (everything is traversable,
> really); maybe just set a magic attr on the object like
> __allow_underscore_traversal__.
> 
> However, adding such a feature would need to be done carefully.  Much
> usage of the Zope security machinery utterly depends on not being able
> to traverse underscore names.
> 
> - C
> 
> On Thu, 2005-06-02 at 15:59 -0400, Dan Pozmanter wrote:
> > Wouldn't it be cool if instead of checking explicitly for a leading 
> > '_' during traversal, you ran a method "isTraversable" (On SimpleItem 
> > for instance), which by default just checks for a leading '_', but 
> > could be overridden in a particular class?
> >  
> > Dan
> > _______________________________________________
> > Zope maillist  -  Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
> 



More information about the Zope mailing list