Commit d657c712 authored by Hanno Schlichting's avatar Hanno Schlichting

Merge security fix from 2.13 branch

parent 55053f4f
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
<include file="meta.zcml" /> <include file="meta.zcml" />
<include package="AccessControl" file="permissions.zcml" /> <include package="AccessControl" file="permissions.zcml" />
<include package="zope.traversing" /> <include file="traversing.zcml" />
<include package="OFS "/> <include package="OFS "/>
<include package="ZPublisher" /> <include package="ZPublisher" />
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
<exclude package="zope.browserpage" file="meta.zcml" /> <exclude package="zope.browserpage" file="meta.zcml" />
<exclude package="zope.browsermenu" file="meta.zcml" /> <exclude package="zope.browsermenu" file="meta.zcml" />
<exclude package="zope.browserresource" file="meta.zcml" /> <exclude package="zope.browserresource" file="meta.zcml" />
<exclude package="zope.traversing" />
<exclude package="zope.publisher" file="meta.zcml" /> <exclude package="zope.publisher" file="meta.zcml" />
<exclude package="zope.viewlet" file="meta.zcml" /> <exclude package="zope.viewlet" file="meta.zcml" />
......
from zExceptions import Forbidden
from zope.interface.interface import InterfaceClass
from zope.traversing import namespace
class resource(namespace.view):
def traverse(self, name, ignored):
# The context is important here, since it becomes the parent of the
# resource, which is needed to generate the absolute URL.
res = namespace.getResource(self.context, name, self.request)
if isinstance(res, InterfaceClass):
raise Forbidden('Access to traverser is forbidden.')
return res
<configure xmlns="http://namespaces.zope.org/zope">
<!-- define default namespace adapters, etc. -->
<adapter
for="*"
factory="zope.traversing.adapters.Traverser"
provides="zope.traversing.interfaces.ITraverser" />
<adapter
for="*"
factory="zope.traversing.adapters.DefaultTraversable"
provides="zope.traversing.interfaces.ITraversable" />
<adapter
name="etc"
for="*"
provides="zope.traversing.interfaces.ITraversable"
factory="zope.traversing.namespace.etc"
/>
<adapter
name="etc"
for="* zope.publisher.interfaces.IRequest"
provides="zope.traversing.interfaces.ITraversable"
factory="zope.traversing.namespace.etc"
/>
<adapter
name="adapter"
for="*"
provides="zope.traversing.interfaces.ITraversable"
factory="zope.traversing.namespace.adapter"
/>
<adapter
name="adapter"
for="* zope.publisher.interfaces.IRequest"
provides="zope.traversing.interfaces.ITraversable"
factory="zope.traversing.namespace.adapter"
/>
<adapter
name="skin"
for="* zope.publisher.interfaces.IRequest"
provides="zope.traversing.interfaces.ITraversable"
factory="zope.traversing.namespace.skin"
/>
<adapter
name="resource"
for="* zope.publisher.interfaces.IRequest"
provides="zope.traversing.interfaces.ITraversable"
factory="Zope2.App.traversing.resource"
/>
<adapter
name="view"
for="* zope.publisher.interfaces.IRequest"
provides="zope.traversing.interfaces.ITraversable"
factory="zope.traversing.namespace.view"
/>
</configure>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment