On 1/27/13 6:00 PM, Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/27/2013 08:49 AM, Julien Cristau wrote:
On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote:
Tres Seaver <tsea...@palladion.com> writes:
* CVE-2012-5505 (zope.traversing: atat.py)
http://plone.org/products/plone/security/advisories/20121106/21
That "fix" is also disputed: hiding the "default" view from the
'@@' name does not actually improve security at all. There is a
Launchpad bug where it is being debated (#1079225), but that
bug is still in "Private Security" mode. The correct fix is to
change the code of the multi-adapter to barf if published via a
URL.
Any idea when this patch will be released? Thanks.
Is there any news on that issue?
I still believe the report is in error: we cannot hide default (unnamed)
views simply because an application might register one in error.
Any views which wants not to be called via URLs needs to handle that
directly: registering a multiadapter for (IThing, None) *is* registering
a view.
Plone includes the configuration of zope.annotation which registers a
multiadapter of (IAnnotations, Interface) that, as far as I can tell, is
not intended as a view and can expose information that was meant to be
private. Our patch therefore monkey-patched the view traverser in
zope.traversing to prevent it from being published. zope.annotation is
not configured in Zope 2 out of the box.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
