-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2013 11:55 AM, David Glick (Plone) wrote:
> On 1/27/13 6:00 PM, Tres Seaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 01/27/2013 08:49 AM, Julien Cristau wrote:
>>> On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote:
>>>
>>>> Tres Seaver <tsea...@palladion.com> writes:
>>>>
>>>>>> * CVE-2012-5505 (zope.traversing: atat.py)
>>>>>> http://plone.org/products/plone/security/advisories/20121106/21
>>>>>
>>>>>>
That "fix" is also disputed: hiding the "default" view from the
>>>>> '@@' name does not actually improve security at all. There
>>>>> is a Launchpad bug where it is being debated (#1079225), but
>>>>> that bug is still in "Private Security" mode. The correct
>>>>> fix is to change the code of the multi-adapter to barf if
>>>>> published via a URL.
>>>> Any idea when this patch will be released? Thanks.
>>>>
>>> Is there any news on that issue?
>> I still believe the report is in error: we cannot hide default
>> (unnamed) views simply because an application might register one in
>> error. Any views which wants not to be called via URLs needs to
>> handle that directly: registering a multiadapter for (IThing, None)
>> *is* registering a view.
>>
>>
> Plone includes the configuration of zope.annotation which registers a
> multiadapter of (IAnnotations, Interface) that, as far as I can tell,
> is not intended as a view and can expose information that was meant to
> be private. Our patch therefore monkey-patched the view traverser in
> zope.traversing to prevent it from being published. zope.annotation is
> not configured in Zope 2 out of the box.
If you believe that the '(IAnnotation, None)' registration is not
supposed to be a view, then the correct place to address this is in
'zope.annotation', not the publisher. E.g.:, the attached patch.
Note that the two-argument registration was added by Jacob Holm in r72995
(2007-03-05). CC'ing him to ask if he can recall the justification, or
knows what would break if we removed it. At a guess, the motivator is
zope.app.preference, which wnats the extra argument passed to its
__new__: this is *not* a reason to reguster a multi-adapter.
Tres.
- --
===================================================================
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlEFbAEACgkQ+gerLs4ltQ6vSgCff1kX2u+mhrvly+m0uBSg5DD+
nBoAoMVdVCnKzrHwPIleuHhHIHpM7Xkw
=e1VT
-----END PGP SIGNATURE-----
=== modified file 'src/zope/annotation/configure.zcml'
--- src/zope/annotation/configure.zcml 2011-02-15 15:46:28 +0000
+++ src/zope/annotation/configure.zcml 2013-01-27 18:00:07 +0000
@@ -8,10 +8,4 @@
factory=".attribute.AttributeAnnotations"
/>
- <adapter
- for=".interfaces.IAttributeAnnotatable *"
- provides=".interfaces.IAnnotations"
- factory=".attribute.AttributeAnnotations"
- />
-
</configure>
=== modified file 'src/zope/annotation/tests/test_configure.py'
--- src/zope/annotation/tests/test_configure.py 2011-02-15 15:46:28 +0000
+++ src/zope/annotation/tests/test_configure.py 2013-01-27 18:01:03 +0000
@@ -36,7 +36,7 @@
zope.configuration.xmlconfig.XMLConfig(
'configure.zcml', zope.annotation)()
self.assertEqual(u_count + 2, len(list(gsm.registeredUtilities())))
- self.assertEqual(a_count + 2, len(list(gsm.registeredAdapters())))
+ self.assertEqual(a_count + 1, len(list(gsm.registeredAdapters())))
self.assertEqual(
s_count, len(list(gsm.registeredSubscriptionAdapters())))
self.assertEqual(h_count, len(list(gsm.registeredHandlers())))
