Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix
David Glick (Plone)
david.glick at plone.org
Sun Jan 27 16:55:55 UTC 2013
On 1/27/13 6:00 PM, Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/27/2013 08:49 AM, Julien Cristau wrote:
>> On Mon, Nov 26, 2012 at 18:53:58 +0900, Arnaud Fontaine wrote:
>>
>>> Tres Seaver <tseaver at palladion.com> writes:
>>>
>>>>> * CVE-2012-5505 (zope.traversing: atat.py)
>>>>> http://plone.org/products/plone/security/advisories/20121106/21
>>>> That "fix" is also disputed: hiding the "default" view from the
>>>> '@@' name does not actually improve security at all. There is a
>>>> Launchpad bug where it is being debated (#1079225), but that
>>>> bug is still in "Private Security" mode. The correct fix is to
>>>> change the code of the multi-adapter to barf if published via a
>>>> URL.
>>> Any idea when this patch will be released? Thanks.
>>>
>> Is there any news on that issue?
> I still believe the report is in error: we cannot hide default (unnamed)
> views simply because an application might register one in error.
> Any views which wants not to be called via URLs needs to handle that
> directly: registering a multiadapter for (IThing, None) *is* registering
> a view.
>
>
Plone includes the configuration of zope.annotation which registers a
multiadapter of (IAnnotations, Interface) that, as far as I can tell, is
not intended as a view and can expose information that was meant to be
private. Our patch therefore monkey-patched the view traverser in
zope.traversing to prevent it from being published. zope.annotation is
not configured in Zope 2 out of the box.
More information about the pkg-zope-developers
mailing list