-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/27/2013 08:49 AM, Julien Cristau wrote: > On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote: > >> Tres Seaver <tsea...@palladion.com> writes: >> >>>> * CVE-2012-5505 (zope.traversing: atat.py) >>>> http://plone.org/products/plone/security/advisories/20121106/21 >>> >>> That "fix" is also disputed: hiding the "default" view from the >>> '@@' name does not actually improve security at all. There is a >>> Launchpad bug where it is being debated (#1079225), but that >>> bug is still in "Private Security" mode. The correct fix is to >>> change the code of the multi-adapter to barf if published via a >>> URL. >> >> Any idea when this patch will be released? Thanks. >> > Is there any news on that issue?
I still believe the report is in error: we cannot hide default (unnamed) views simply because an application might register one in error. Any views which wants not to be called via URLs needs to handle that directly: registering a multiadapter for (IThing, None) *is* registering a view. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEFTwsACgkQ+gerLs4ltQ6FVACgmfgoLVb+YLTfJCqHEX4cvd+K ywkAn32iTCbw7oCm5EgC7uI60bJiRm1M =mRXV -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )