5 Jul
2010
5 Jul
'10
4:57 p.m.
On 07/02/2010 11:49 AM, Tres Seaver wrote:
Jim has asserted (but not really explained) that the C extension closes some kind of security hole. I don't see any credible attack vector myself, but then I no longer believe it worthwhile to devote my own energy to defending against malicious TTW programmers.
FWIW, I imagine the problem is that zope.security treats zope.i18nmessageid as a rock, so if the implementation is in Python, it probably allows untrusted code to do this:
msg.__setattr__.im_func.func_globals['__builtins__']['__import__'] <built-in function __import__>
I suggest the bug is in zope.security, which should never allow a type written in Python to be a rock. Shane