AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)
HI Jim Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished) [...] Configure views on layers will prevent us form backdoors if we reuse this easy installable eggs ;-) Here is a simple sample of such a built-in backdoor: At our fresh zope installation: http://localhost:8080/@@absolute_url Of corse it's not this dangerous, but it shows you what I mean. How do skins avoid this? Let me explain first how I define layer and skins. - A layer is a configuration discriminator (request type) for traversable components. - A named skin (configuration) makes it possible to traverse components using a context and this layer as disriminator as url path. This means in my point of view a layer is a concept which offers a configuration namespace which somebody can use or not. If a layer has allready defined views it doesn't affect anything till we map this layer as traversable namespace. By a traversable namespace I mean the layer registered by its traversable name. Also called skin and accessible by ++skin++Name. If we register absolute_url in a layer which isn't used in a skin, then this view is not available as traversable view because of the missing layer/named skin configuration. Regards Roger Ineichen Jim -- Jim Fulton Zope Corporation ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)
On Dec 18, 2007, at 5:08 AM, Roger Ineichen wrote: HI Jim Betreff: Re: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished) [...] Configure views on layers will prevent us form backdoors if we reuse this easy installable eggs ;-) Here is a simple sample of such a built-in backdoor: At our fresh zope installation: http://localhost:8080/@@absolute_url Of corse it's not this dangerous, but it shows you what I mean. How do skins avoid this? Let me explain first how I define layer and skins. - A layer is a configuration discriminator (request type) for traversable components. - A named skin (configuration) makes it possible to traverse components using a context and this layer as disriminator as url path. This means in my point of view a layer is a concept which offers a configuration namespace which somebody can use or not. If a layer has allready defined views it doesn't affect anything till we map this layer as traversable namespace. By a traversable namespace I mean the layer registered by its traversable name. Also called skin and accessible by ++skin++Name. If we register absolute_url in a layer which isn't used in a skin, then this view is not available as traversable view because of the missing layer/named skin configuration. Which does nothing to protect you from components registered for the default layer or for IBrowserRequest. Jim -- Jim Fulton Zope Corporation ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: AW: AW: [Zope-dev] Re: Request typing (to get the xmlrpc layer discussionfinished)
On Tuesday 18 December 2007, Jim Fulton wrote: If we register absolute_url in a layer which isn't used in a skin, then this view is not available as traversable view because of the missing layer/named skin configuration. Which does nothing to protect you from components registered for the default layer or for IBrowserRequest. Yes, because in our code we never ever expose the registrations in the default layer. We consider that layer hostile. :-) (Eventually we hope to rid ourselves from even importing any configuration that registers into the browser layer, but the Zoep packages need some refactoring to do this in a sane way.) IBrowserRequest is a big problem, since it is the base interface for all layers. I used to scan the ZCML for components registered for IBrowserRequest. I have not done this in a while, but should make it a habit again. I hope that security analysis tools, such as z3c.securitytool will eventually help us identify those problems. Regards, Stephan -- Stephan Richter CBU Physics Chemistry (B.S.) / Tufts Physics (Ph.D. student) Web2k - Web Software Design, Development and Training ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )