Commit b26e453b authored by Tres Seaver's avatar Tres Seaver

Prevent sandbox escape via 'BaseRequest.traverseName'.

Fixes LP #1095343.
parent 578139ba
...@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/ ...@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
2.12.28 (unreleased) 2.12.28 (unreleased)
-------------------- --------------------
- LP #1095343: prevent sandbox escape via ``BaseRequest.traverseName``.
- LP #1094144: prevent arbitrary redirections via faked "CANCEL" buttons. - LP #1094144: prevent arbitrary redirections via faked "CANCEL" buttons.
- LP #1094221: add permissions to some unprotected methods of - LP #1094221: add permissions to some unprotected methods of
......
...@@ -341,6 +341,7 @@ class BaseRequest: ...@@ -341,6 +341,7 @@ class BaseRequest:
ob2 = adapter.publishTraverse(self, name) ob2 = adapter.publishTraverse(self, name)
return ob2 return ob2
traverseName__roles__ = ()
def traverse(self, path, response=None, validated_hook=None): def traverse(self, path, response=None, validated_hook=None):
"""Traverse the object space """Traverse the object space
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment