[Zope3-checkins] SVN: Zope3/branches/3.3/ - Fixed issue 574:
security exposure of TALES namespaces
Christian Theune
ct at gocept.com
Tue Aug 15 08:09:33 EDT 2006
Log message for revision 69506:
- Fixed issue 574: security exposure of TALES namespaces
Changed:
U Zope3/branches/3.3/doc/CHANGES.txt
U Zope3/branches/3.3/src/zope/app/homefolder/tests.py
U Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml
U Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py
U Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py
U Zope3/branches/3.3/src/zope/app/session/configure.zcml
-=-
Modified: Zope3/branches/3.3/doc/CHANGES.txt
===================================================================
--- Zope3/branches/3.3/doc/CHANGES.txt 2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/doc/CHANGES.txt 2006-08-15 12:09:32 UTC (rev 69506)
@@ -10,6 +10,9 @@
Bugfixes
+ - Fixed issue 574: Page template traversal adapters were not correctly
+ proxied.
+
- Fixed issue 682: Quoting of realm in HTTP basic authentication was not
conforming to RFC 2617.
Modified: Zope3/branches/3.3/src/zope/app/homefolder/tests.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/homefolder/tests.py 2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/homefolder/tests.py 2006-08-15 12:09:32 UTC (rev 69506)
@@ -33,6 +33,9 @@
from zope.app.homefolder.homefolder import HomeFolder, getHomeFolder
from zope.app.homefolder.interfaces import IHomeFolder
+from zope.app.folder.folder import Folder
+from zope.app.folder.interfaces import IFolder
+from zope.security.checker import InterfaceChecker, defineChecker
def homeFolderSetUp(test):
placelesssetup.setUp()
@@ -40,6 +43,7 @@
setup.setUpTraversal()
classImplements(File, IAttributeAnnotatable)
+
ztapi.provideAdapter(IAnnotatable, IPrincipalRoleManager,
AnnotationPrincipalRoleManager)
ztapi.provideAdapter(IPrincipal, IHomeFolder,
@@ -47,6 +51,9 @@
ztapi.provideAdapter(IPrincipal, IPathAdapter,
getHomeFolder,
name="homefolder")
+
+ testChecker = InterfaceChecker(IFolder)
+ defineChecker(Folder, testChecker)
def test_suite():
Modified: Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml
===================================================================
--- Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml 2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/pagetemplate/configure.zcml 2006-08-15 12:09:32 UTC (rev 69506)
@@ -11,12 +11,21 @@
name="zope"
/>
+ <class class=".talesapi.ZopeTalesAPI">
+ <allow interface="zope.tales.interfaces.ITALESFunctionNamespace"/>
+ <allow attributes="title description created modified name title_or_name size"/>
+ </class>
+
<adapter
for="*"
provides="zope.traversing.interfaces.IPathAdapter"
factory=".urlquote.URLQuote"
name="url"/>
+ <class class=".urlquote.URLQuote">
+ <allow attributes="quote quote_plus unquote unquote_plus"/>
+ </class>
+
<class class="zope.tales.tales.Iterator">
<allow interface="zope.tales.interfaces.ITALESIterator" />
</class>
Modified: Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py 2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/pagetemplate/engine.py 2006-08-15 12:09:32 UTC (rev 69506)
@@ -249,7 +249,34 @@
return namespace
-class ZopeEngine(ExpressionEngine):
+class ZopeBaseEngine(ExpressionEngine):
+
+ _create_context = ZopeContext
+
+ def __init__(self):
+ ExpressionEngine.__init__(self)
+ self.namespaces = AdapterNamespaces()
+
+ def getContext(self, __namespace=None, **namespace):
+ if __namespace:
+ if namespace:
+ namespace.update(__namespace)
+ else:
+ namespace = __namespace
+
+ context = self._create_context(self, namespace)
+
+ # Put request into context so path traversal can find it
+ if 'request' in namespace:
+ context.request = namespace['request']
+
+ # Put context into context so path traversal can find it
+ if 'context' in namespace:
+ context.context = namespace['context']
+
+ return context
+
+class ZopeEngine(ZopeBaseEngine):
"""Untrusted expression engine.
This engine does not allow modules to be imported; only modules
@@ -355,33 +382,12 @@
"""
- _create_context = ZopeContext
+ def getFunctionNamespace(self, namespacename):
+ """ Returns the function namespace """
+ return ProxyFactory(
+ super(ZopeEngine, self).getFunctionNamespace(namespacename))
- def __init__(self):
- ExpressionEngine.__init__(self)
- self.namespaces = AdapterNamespaces()
-
- def getContext(self, __namespace=None, **namespace):
- if __namespace:
- if namespace:
- namespace.update(__namespace)
- else:
- namespace = __namespace
-
- context = self._create_context(self, namespace)
-
- # Put request into context so path traversal can find it
- if 'request' in namespace:
- context.request = namespace['request']
-
- # Put context into context so path traversal can find it
- if 'context' in namespace:
- context.context = namespace['context']
-
- return context
-
-
-class TrustedZopeEngine(ZopeEngine):
+class TrustedZopeEngine(ZopeBaseEngine):
"""Trusted expression engine.
This engine allows modules to be imported::
Modified: Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py
===================================================================
--- Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py 2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/pagetemplate/tests/test_engine.py 2006-08-15 12:09:32 UTC (rev 69506)
@@ -1,6 +1,6 @@
##############################################################################
#
-# Copyright (c) 2004 Zope Corporation and Contributors.
+# Copyright (c) 2004-2006 Zope Corporation and Contributors.
# All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
@@ -11,15 +11,44 @@
# FOR A PARTICULAR PURPOSE.
#
##############################################################################
-"""Doc tests for the pagentemplate's 'engine' module
+"""Doc tests for the pagetemplate's 'engine' module
$Id$
"""
import unittest
from zope.testing.doctestunit import DocTestSuite
+import zope.component
+from zope.app.pagetemplate.engine import _Engine
+from zope.proxy import isProxy
+from zope.traversing.interfaces import IPathAdapter
+
+class DummyNamespace(object):
+
+ def __init__(self, context):
+ self.context = context
+
+class EngineTests(unittest.TestCase):
+
+ def setUp(self):
+ gsm = zope.component.getGlobalSiteManager()
+ gsm.registerAdapter(DummyNamespace, required=(), provided=IPathAdapter, name='test')
+
+ def tearDown(self):
+ gsm = zope.component.getGlobalSiteManager()
+ gsm.unregisterAdapter(DummyNamespace, required=(), provided=IPathAdapter, name='test')
+
+ def test_issue574(self):
+ engine = _Engine()
+ namespace = engine.getFunctionNamespace('test')
+ self.failUnless(isProxy(namespace))
+
+
def test_suite():
- return DocTestSuite('zope.app.pagetemplate.engine')
+ suite = unittest.TestSuite()
+ suite.addTest(DocTestSuite('zope.app.pagetemplate.engine'))
+ suite.addTest(unittest.makeSuite(EngineTests))
+ return suite
if __name__ == '__main__':
unittest.main(defaultTest='test_suite')
Modified: Zope3/branches/3.3/src/zope/app/session/configure.zcml
===================================================================
--- Zope3/branches/3.3/src/zope/app/session/configure.zcml 2006-08-15 12:09:01 UTC (rev 69505)
+++ Zope3/branches/3.3/src/zope/app/session/configure.zcml 2006-08-15 12:09:32 UTC (rev 69506)
@@ -23,7 +23,6 @@
provides="zope.traversing.interfaces.IPathAdapter"
factory=".session.Session"
name="session"
- permission="zope.Public"
/>
<class class=".session.Session">
More information about the Zope3-Checkins
mailing list