AccessRules can't safely be used for security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
High
|
Tres Seaver |
Bug Description
Because anybody can use the _SUPPRESS_
off AccessRules they aren't safe to use for security. My concern is,
given the name of the object, that people will use it incorrectly.
Seeing as there really isn't any value in letting anonymouse users
disable AccessRules on a whim, I think the traversal hack should be
removed entirely. The environment variable disabling semaphore is safer.
@@
def __call__(self, container, request):
if SUPPRESS_
- if '_SUPPRESS_
- request.
- return
-def _swallow(request, prefix):
- path = request[
- steps = request.steps
- i = len(steps)
- while i > 0 and steps[i - 1][:1] == '_':
- i = i - 1
- while path and path[-1]
- steps.append(
- return steps[i:]
-
def manage_
"""Point a __before_traverse__ entry at the specified method"""
# We want the original object, not stuff in between, and no acquisition
Changed in zope2: | |
status: | Confirmed → In Progress |
Changed in zope2: | |
status: | Fix Committed → Fix Released |
I agree that stripping out the URL-based suppression is the right thing to do here.
We also need to rip out the equivalent code inside Products. SiteAccess. SiteRoot.