AW: [Zope3-Users] Trusted traversers in z3c.layer: security concerns

Roger Ineichen dev at projekt01.ch
Tue Sep 11 11:47:22 EDT 2007


Hi Markus

> Betreff: [Zope3-Users] Trusted traversers in z3c.layer: 
> security concerns

[...]

> Since I can't believe that everybody else using `z3c.form` is 
> also using trusted traversers, I wonder if I am missing 
> something crucial here ...

I don't have time right now, but we meet us a the sprint
on Boston. I like to take a closer look a that then. As far
as I can remember there is a nother issue with the traverser
which resolves it's name with context.__parent__ instead of
adapting the parent objecst traverser. I also like to take 
look at this.

Stephan and I hade a couple of discussions about to write
a introspection test framework which shows us what can get
accessed and what not, based on the configure.zcml directives
registered all over the project.

Probably we can take another look at this and write some 
minimal hacker tool wich tries to hack a running server
by trying acessing all views and adapters etc.

Such a tool should also be able to generate a PDF report
showing the security settings. But that's another story...

Regards
Roger Ineichen

> Regards,
> 
> Markus Kemmerling
> 
> Medical University Vienna
> Core Unit for Medical Education
> P.O. Box 10  A-1097 Vienna
> phone: +43-1-40 160-36 863  fax: +43-1-40 160-93 65 00 
> http://www.meduniwien.ac.at/bemaw/
> 
> 
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
> 



More information about the Zope3-users mailing list