Authored by Thimo Kraemer

Zope: Restricted URL Traversal

What is meant by Restricted URL Traversal is the possibility to prevent cross site access in Zope. Let's say we have the following structure:

|____ Folder1 (Root for www.domain1.tld)
|   |
|   |____ index_html
|   |
|   |____ images
|____ Folder2 (Root for www.domain2.tld)
    |____ index_html

Because of Zope's path traversal and acquisition it is possible to access the content of Folder1 under the URL http://www.domain2.tld/Folder1. How to prevent this behaviour as centralized as possible?

Well, in Zope you can set Access Rules for objects in the ZMI. These Access Rules are executed on each request before all traversal publishing is done. Therefore you do not know anything about the final context or the authentication. That is what we have to change first by use of a Post Traversal Hook.

Under the root folder of your ZMI create a Script (Python) and name it access_rule. Give it two parameters (folder, request) and the body of this snippet.

Now make it an Access Rule as explained here. After that you have something like the precondition attribute of a file object. Just add a Script (Python) with the id post_traverse_access_rule to a folder you want to control and it will be called on each request of any object under that folder. The script should return a dictionary which can contain the following attributes:

  • traversal_repeating
    If set to true, your script will be called each time the traversal machinery comes upon the container of your script.

  • apply_to_manager
    If set to true, return values of your script will be applied also when the user has a manager role, otherwise they are ignored. Use with care!

  • restrict_hostnames
    Could be set to a list or whitespace seperated string of allowed hostnames (eg. ['', '', '']). Each request with an invalid hostname gets a NotFound error message.

  • restrict_parent_traversal
    If set to true, you cannot traverse upon that folder. A list of allowed paths can be passed.

  • force_direct_traversal
    Can be set to parents, children or both and prevents cross traversal.

  • redirect_url
    This attribute specifies a URL the user will be redirected to.

  • return_value
    Set this attribute if you want to return a value. Is it an exception it will be raised. Note that this value will be the final response to the user.

Any return value other than a dictionary will be ignored because of the ability to lock yourself out of Zope. Exceptions are collected and added to the REQUEST object (access_rule_errors). Should you lock yourself out of Zope you can try to disable the Access Rule by adding _SUPPRESS_ACCESSRULE to the URL or restart Zope with suppress-all-access-rules on in zope.conf. 4.86 KB
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment