From 14fa211714f070b2ea8d1a46b79ef80761d97eb0 Mon Sep 17 00:00:00 2001 From: Alessandro Pisa Date: Thu, 22 Feb 2024 17:28:31 +0100 Subject: [PATCH] Fix WebDAV traversal Fix a traversal error that happens when traversing a WebDAV resource and the virtual host monster is used. Fixes #195 --- news/195.bugfix | 2 ++ plone/dexterity/browser/traversal.py | 9 +++++++++ 2 files changed, 11 insertions(+) create mode 100644 news/195.bugfix diff --git a/news/195.bugfix b/news/195.bugfix new file mode 100644 index 00000000..4be48e5c --- /dev/null +++ b/news/195.bugfix @@ -0,0 +1,2 @@ +Fix a traversal error that happens when traversing a WebDAV resource and the virtual host monster is used. +[ale-rt] diff --git a/plone/dexterity/browser/traversal.py b/plone/dexterity/browser/traversal.py index 55e6b9e7..b7dd6976 100644 --- a/plone/dexterity/browser/traversal.py +++ b/plone/dexterity/browser/traversal.py @@ -4,6 +4,7 @@ from plone.dexterity.filerepresentation import FolderDataResource from plone.dexterity.interfaces import DAV_FOLDER_DATA_ID from plone.dexterity.interfaces import IDexterityContent +from Products.SiteAccess.VirtualHostMonster import VirtualHostMonster from webdav.NullResource import NullResource from zope.component import adapter from zope.publisher.interfaces.browser import IBrowserRequest @@ -38,6 +39,14 @@ def publishTraverse(self, request, name): defaultTraversal = super().publishTraverse(request, name) + if isinstance(defaultTraversal, VirtualHostMonster): + # If we are traversing to a VHM, we want to just return it immediately. + # For WebDAV requests, the check that controls if the parent + # of the traversed object is the same as the context + # will most probably fail because VHM parent will usually be + # the Zope App object. + return defaultTraversal + # If this is a WebDAV PUT/PROPFIND/PROPPATCH request, don't acquire # things. If we did, we couldn't create a new object with PUT, for # example, because the acquired object would shadow the NullResource