Hi Hanno, another point: just fixing creation of a similar ID will not fix this if you know the portal ID and you are an agressor linking from elsewhere. But if the content of the other portal is not visible to public or you, you cannot get safe content by traversing like this.
So carefully write down the permutations (users vs content matrix) of the issue to get an elegant permanent fix for everybody. Check if you can use the new Zope 2.12.x feature to view permissions from ZMI from a particular users view even if your Plone is ready for this. Armin Am 29.09.2010 um 17:32 schrieb Stroß-Radschinski Armin C.: > Hi Hanno, > just a simple workaround: > I remember there is a way to mark URL's/ID's as forbidden for > creation. > So create your portals first and then mark these IDs as reserved > inside the portals. > When using uncommon UUID i.e. as portal id this should work in 99,9... > situations. > And if you get a hit it results in an error. > > I had similar stuff after my initials are the same as my userid as my > company short name. To avoid this I usually add prefix or suffixes. > > UPDATE: > To implement this in Plone: > Set an option by default that automatically adds the IDs of folderish > (or Plone Site) objects at the Zope root to invalid ID's. > This is maybe not the cleanest way, but it may be a serious issue not > to solve this security risk even with a quick hack. > > Armin > > Am 29.09.2010 um 16:55 schrieb Hanno Schulz: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello >> >> I am looking for a solution to restrict access between plone portals >> on the same >> zope server. >> >> The Problem: >> Zope Root >> / >> |- Portal A >> |- Portal B >> >> When you call server/Portal B/somefolder/Portal A/ you get the >> content from >> Portal A instead an error page (for example 404). >> I know it's the "normal" zope acquistion :( But is there a way to >> stop >> traversing at the plone portal root? >> >> Thanks >> Hanno Schulz >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.9 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQEcBAEBAgAGBQJMo1NFAAoJEGMseF/RWBlbsOYH/j+Lyrx9GKEJIm+rL+U4Gt3e >> GdSSzaJIIa//9JXbrmLUHWzoVvohQK6HrxAmSfqe+3EDcPCWDAdPNvHEnTKV/RLe >> 5XPeqJKUCUmGttsXWGsbza3Iz4B3nOQOxHK7v94BQEdDQGY//RNsL3p1FVKIqVFk >> c8SrMkEwNSnAeHqxNw5T2v6M4PkRQoY16HyJNf1F/5gQ+AuU6PP9WyB02KSUrxyT >> reaY4wuRVWJH17cu/ycidZ8MrpS4OPBlVlvzpPjMIZkk6D3RzsTHag5ktN1poTqy >> 9DGpftKnHobEdIOaPp5PD41Kc8kRZ9AFOYd5cEons1uFBVOCiFb1uJ7tw9mUPNQ= >> =Y5Tw >> -----END PGP SIGNATURE----- >> - >> Diese Information ist ausschliesslich fuer den Adressaten bestimmt >> und kann >> vertraulich oder gesetzlich geschuetzte Informationen enthalten. >> Wenn Sie nicht >> der bestimmungsgemaesse Adressat sind, unterrichten Sie bitte den >> Absender und >> vernichten Sie diese Mail. >> Anderen als dem bestimmungsgemaessen Adressaten ist es untersagt, >> diese E-Mail >> weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu >> verwenden. Wir >> verwenden aktuelle Virenschutzprogramme und Content-Filter. >> Fuer Schaeden, die dem Empfaenger gleichwohl durch von uns >> zugesandte mit Viren >> befallene E-Mails entstehen, schliessen wir jede Haftung aus. >> - >> This e-mail and any attachments is confidential and solely intended >> for the >> indicated addressee. If you are not the intended recipient or an >> authorized >> person, please note, that any form of notice, disclosure, >> reproduction or >> circulation of the contents of this mail is prohibited. In this >> case, please >> immediately inform the sender of the e-mail an destroy this e-mail. >> We use >> updated antivirus protection software. We do not accept any >> responsibility for >> damages caused anyhow by viruses. >> - >> catWorkX GmbH: Sitz der Gesellschaft in Hamburg, HRB: 71494, USt- >> IdNr.: >> DE201625856, Geschaeftsfuehrung: Dipl. Kfm. Andreas Girnuweit, Dipl.- >> Ing. Oliver >> Groht, Dr. Wolfgang Tank >> _______________________________________________ >> Product-Developers mailing list >> [email protected] >> http://lists.plone.org/mailman/listinfo/product-developers > > _______________________________________________ > Product-Developers mailing list > [email protected] > http://lists.plone.org/mailman/listinfo/product-developers -- Armin Carl Stroß-Radschinski, Dipl. Designer acsr industrialdesign, Landgrafenstraße 32, 53842 Troisdorf, Germany Telefon +49 (0) 22 41 / 94 69 94, FAX +49 (0) 22 41 / 94 69 96 eMail [email protected] - http://www.acsr.de UST. ID Nr: DE154092803 (EU VAT ID) _______________________________________________ Product-Developers mailing list [email protected] http://lists.plone.org/mailman/listinfo/product-developers
