[Zope3-Users] Trusted traversers in z3c.layer: security concerns

Markus Kemmerling markus.kemmerling at meduniwien.ac.at
Tue Sep 11 08:00:24 EDT 2007 

Hi,

In our applications we use `z3c.pagelet` together with the
`IPageletBrowserLayer` defined by `z3c.layer.pagelet`.  The latter  
registers
two traversers, `SimpleComponentTraverser` and `ItemTraverser`, as  
trusted
adapters.

I do not completely understand the reason for doing so (as explained  
in the
`trusted` layer's README), but it seems to me that doing so raises a  
security
issue.

(BTW, there seems to be no difference at all between the  
`IMinimalBrowserLayer`
and the `ITrustedBrowserLayer`, all three subpackages in `z3c.layer`  
register
both traversers as trusted adapters.)

Registering a traverser as a trusted adapter means that the adapted  
object will
not be security protected.  Normally this will be no problem, since the
traversed object will be explicitely security proxied by the publication
traverser's `traverseName` method (defined by the
`zope.app.publication.publicationtraverse` module).  The problem  
arises if the
traversed object is not the object itself, but a view on it--assuming  
the view
is called via the default namespace and not via the 'view' namespace,  
i.e.
without '@@' prepended.

To see the problem consider what happens if you traverse to a  
container view
via the default namespace:

* `traverseName` looks up the traverser by querying for the adapter  
providing
   `IPublishTraverse` and calls it's `publishTraverse` method.

* In the case of a container the traverser will be the  
`ItemTraverser` (defined
   by the `zope.app.container.traversal` module) which will return  
the view
   registered for the container.  Since the traverser is trusted,  
it's context
   isn't security proxied.  Therefore the container won't be security  
proxied
   either when adapted by the view.

So after traversing the view itself will be security proxied (by the
`traverseName` method), but access to it's context container will  
*not* obey any
security restrictions.  In other words, the security declaration for the
container itself will be ignored.

This does not happen of course when traversing via the `view`  
namespace, since
the `view` traverser is not registered as a trusted adapter by the
`IPageletBrowserLayer`.

I verified the described behaviour by commenting out the security  
declaration
for some container.  Doing so I was able to traverse to it via the  
default
namespace, but not via the 'view' namespace.


Now, in our applications, we not only use pagelets, but also  
`z3c.form` based
forms .  When I tried to run our tests without registering the  
traversers
as trusted adapters, it turned out, that a number of additional security
declarations are necessary to make the tests pass again. E.g., I had to
explicitely allow access to widgets like

   <class class="z3c.form.browser.text.TextWidget">
     <allow interface="z3c.form.interfaces.IWidget" />
   </class>

and also to add a `widget` attribute to the definition of the  
`IErrorViewSnippet`.

Since I can't believe that everybody else using `z3c.form` is also using
trusted traversers, I wonder if I am missing something crucial here ...

Regards,

Markus Kemmerling

Medical University Vienna
Core Unit for Medical Education
P.O. Box 10  A-1097 Vienna
phone: +43-1-40 160-36 863  fax: +43-1-40 160-93 65 00
http://www.meduniwien.ac.at/bemaw/

More information about the Zope3-users mailing list