-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/27/2013 08:49 AM, Julien Cristau wrote:
> On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote:
> 
>> Tres Seaver <tsea...@palladion.com> writes:
>> 
>>>> * CVE-2012-5505 (zope.traversing: atat.py) 
>>>> http://plone.org/products/plone/security/advisories/20121106/21
>>> 
>>> That "fix" is  also disputed: hiding the "default" view  from the
>>> '@@' name does not actually improve security  at all.  There is a
>>> Launchpad bug where  it is being  debated (#1079225), but  that
>>> bug is  still in "Private Security" mode.  The correct fix is to
>>> change the code of the multi-adapter to barf if published via a
>>> URL.
>> 
>> Any idea when this patch will be released? Thanks.
>> 
> Is there any news on that issue?

I still believe the report is in error:  we cannot hide default (unnamed)
views simply because an application might register one in error.
Any views which wants not to be called via URLs needs to handle that
directly:  registering a multiadapter for (IThing, None) *is* registering
a view.



Tres.
- -- 
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlEFTwsACgkQ+gerLs4ltQ6FVACgmfgoLVb+YLTfJCqHEX4cvd+K
ywkAn32iTCbw7oCm5EgC7uI60bJiRm1M
=mRXV
-----END PGP SIGNATURE-----
_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to