Backport the security fix to 0.11.

CHANGES.txt

@@ -10,6 +10,8 @@ Bug fixes
 * Port fix of zope.formlib to correctly adapt the context to a FormField's
   interface, not the field'
 
+* Fix bad security hole.
+
 0.11.1 (2008-01-20)
 ===================
 

src/grok/components.py

@@ -354,22 +354,19 @@ class DirectoryResource(directoryresource.DirectoryResource):
             continue
         resource_factories[type] = factory
 
-
-class DirectoryResourceFactory(object):
+class DirectoryResourceFactory(directoryresource.DirectoryResourceFactory):
     # We need this to allow hooking up our own GrokDirectoryResource
     # and to set the checker to None (until we have our own checker)
 
-    def __init__(self, path, name):
-        # XXX we're not sure about the checker=None here
-        self.__dir = directoryresource.Directory(path, None, name)
-        self.__name = name
-
     def __call__(self, request):
+        # Override this method for the following line, in which our
+        # custom DirectoryResource class is instantiated.
         resource = DirectoryResource(self.__dir, request)
+        resource.directory_factory = DirectoryResourceFactory
+        resource.__Security_checker__ = self.__checker
         resource.__name__ = self.__name
         return resource
 
-
 class Traverser(object):
     interface.implements(IBrowserPublisher)
 

src/grok/meta.py

@@ -17,6 +17,7 @@
 
 import zope.component.interface
 from zope import interface, component
+from zope.security.checker import NamesChecker
 from zope.publisher.interfaces.browser import (IDefaultBrowserLayer,
                                                IBrowserRequest,
                                                IBrowserPublisher,
@@ -461,6 +462,11 @@ def grok(self, name, module, module_info, config, **kw):
         return True
 
 
+allowed_resource_names = (
+    'GET', 'HEAD', 'publishTraverse', 'browserDefault', 'request', '__call__')
+
+allowed_resourcedir_names = allowed_resource_names + ('__getitem__', 'get')
+
 class StaticResourcesGrokker(martian.GlobalGrokker):
 
     def grok(self, name, module, module_info, config, **kw):
@@ -484,8 +490,10 @@ def grok(self, name, module, module_info, config, **kw):
                         "resource directory and a module named "
                         "'static.py'", module_info.getModule())
 
+        checker = NamesChecker(allowed_resourcedir_names)
         resource_factory = components.DirectoryResourceFactory(
-            resource_path, module_info.dotted_name)
+            resource_path, checker, module_info.dotted_name)
+
         adapts = (IDefaultBrowserLayer,)
         provides = interface.Interface
         name = module_info.dotted_name

src/grok/publication.py

@@ -27,6 +27,10 @@
      BrowserFactory, XMLRPCFactory, HTTPFactory
 from zope.app.http.interfaces import IHTTPException
 
+from zope.publisher.interfaces.browser import IBrowserView
+from grok.components import View as GrokView
+from grok.components import JSON
+
 class ZopePublicationSansProxy(object):
 
     def getApplication(self, request):
@@ -36,8 +40,16 @@ def getApplication(self, request):
     def traverseName(self, request, ob, name):
         result = super(ZopePublicationSansProxy, self).traverseName(
             request, ob, name)
-        return removeSecurityProxy(result)
-
+        bare_result = removeSecurityProxy(result)
+        if IBrowserView.providedBy(bare_result):
+            if isinstance(bare_result, (GrokView, JSON)):
+                return bare_result
+            else:
+                return result
+        else:
+            return bare_result
+
+
     def callObject(self, request, ob):
         checker = selectChecker(ob)
         if checker is not None:

versions.cfg

@@ -95,6 +95,6 @@ zope.structuredtext = 3.4.0
 zope.tal = 3.4.0b1
 zope.tales = 3.4.0a1
 zope.testbrowser = 3.4.1
-zope.testing = 3.5.1
+zope.testing = 3.6.0
 zope.thread = 3.4
 zope.traversing = 3.5.0a1.dev-r78730