AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

2007-12-18 Thread Roger Ineichen
HI Jim
 
 Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the 
 xmlrpc layer discussionfinished)

[...]

  Configure views on layers will prevent us form backdoors if 
 we reuse 
  this easy installable eggs ;-)
 
  Here is a simple sample of such a built-in backdoor:
 
  At our fresh zope installation:
  http://localhost:8080/@@absolute_url
 
  Of corse it's not this dangerous, but it shows you what I mean.
 
 
 How do skins avoid this?

Let me explain first how I define layer and skins.

- A layer is a configuration discriminator (request type) 
  for traversable components.

- A named skin (configuration) makes it possible to traverse 
  components using a context and this layer as disriminator
  as url path. 

This means in my point of view a layer is a concept which 
offers a configuration namespace which somebody can use or 
not. If a layer has allready defined views it doesn't affect
anything till we map this layer as traversable namespace.
By a traversable namespace I mean the layer registered by
its traversable name. Also called skin and accessible by
++skin++Name.

If we register absolute_url in a layer which isn't 
used in a skin, then this view is not available as
traversable view because of the missing layer/named skin
configuration.

Regards
Roger Ineichen

 Jim
 
 --
 Jim Fulton
 Zope Corporation
 
 
 

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

2007-12-18 Thread Jim Fulton


On Dec 18, 2007, at 5:08 AM, Roger Ineichen wrote:


HI Jim


Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the
xmlrpc layer discussionfinished)


[...]


Configure views on layers will prevent us form backdoors if

we reuse

this easy installable eggs ;-)

Here is a simple sample of such a built-in backdoor:

At our fresh zope installation:
http://localhost:8080/@@absolute_url

Of corse it's not this dangerous, but it shows you what I mean.



How do skins avoid this?


Let me explain first how I define layer and skins.

- A layer is a configuration discriminator (request type)
 for traversable components.

- A named skin (configuration) makes it possible to traverse
 components using a context and this layer as disriminator
 as url path.

This means in my point of view a layer is a concept which
offers a configuration namespace which somebody can use or
not. If a layer has allready defined views it doesn't affect
anything till we map this layer as traversable namespace.
By a traversable namespace I mean the layer registered by
its traversable name. Also called skin and accessible by
++skin++Name.

If we register absolute_url in a layer which isn't
used in a skin, then this view is not available as
traversable view because of the missing layer/named skin
configuration.



Which does nothing to protect you from components registered for the  
default layer or for IBrowserRequest.


Jim

--
Jim Fulton
Zope Corporation


___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


Re: AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

2007-12-18 Thread Stephan Richter
On Tuesday 18 December 2007, Jim Fulton wrote:
  If we register absolute_url in a layer which isn't
  used in a skin, then this view is not available as
  traversable view because of the missing layer/named skin
  configuration.

 Which does nothing to protect you from components registered for the  
 default layer or for IBrowserRequest.

Yes, because in our code we never ever expose the registrations in the default 
layer. We consider that layer hostile. :-) (Eventually we hope to rid 
ourselves from even importing any configuration that registers into the 
browser layer, but the Zoep packages need some refactoring to do this in a 
sane way.)

IBrowserRequest is a big problem, since it is the base interface for all 
layers. I used to scan the ZCML for components registered for 
IBrowserRequest. I have not done this in a while, but should make it a habit 
again. I hope that security analysis tools, such as z3c.securitytool will 
eventually help us identify those problems.

Regards,
Stephan
-- 
Stephan Richter
CBU Physics  Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

2007-12-17 Thread Roger Ineichen
Hi

 Betreff: [Zope-dev] Re: Request typing (to get the xmlrpc 
 layer discussionfinished)

[...]

  We tend to think up complex use cases and then make the 
 zope framework 
  more complicated to deal with them.  Sometimes these are legitimate 
  use cases, but they are rarely common cases and their 
 solutions should 
  generally not be inflicted on the masses.

Configure views on layers will prevent us form backdoors
if we reuse this easy installable eggs ;-)

Here is a simple sample of such a built-in backdoor:

At our fresh zope installation:
http://localhost:8080/@@absolute_url

Of corse it's not this dangerous, but it shows you what I mean.

I could you show many more of such built-in backdoors on
production system, but will not do this here because of 
security reason.

Regards
Roger Ineichen

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)

2007-12-17 Thread Jim Fulton


On Dec 17, 2007, at 12:39 PM, Roger Ineichen wrote:


Hi


Betreff: [Zope-dev] Re: Request typing (to get the xmlrpc
layer discussionfinished)


[...]


We tend to think up complex use cases and then make the

zope framework

more complicated to deal with them.  Sometimes these are legitimate
use cases, but they are rarely common cases and their

solutions should

generally not be inflicted on the masses.


Configure views on layers will prevent us form backdoors
if we reuse this easy installable eggs ;-)

Here is a simple sample of such a built-in backdoor:

At our fresh zope installation:
http://localhost:8080/@@absolute_url

Of corse it's not this dangerous, but it shows you what I mean.



How do skins avoid this?

Jim

--
Jim Fulton
Zope Corporation


___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )