Re: [Zope-dev] [ZODB-Dev] Bug (?) in zope/publisher/publish.py:unwrapMethod
Le mardi 25 janvier 2011 19:08:11, Tres Seaver a écrit :
The Zope2-specific version of 'mapply()' (in 'ZPublisher.mapply') is the right place to fix this issue, if it is to be fixed:
Thanks for the info.
P.S. This issue is off-topic for the ZODB list: I have cross-posted to 'zope-dev': please follow up there.
Woops, lazy typing and wrong mail client completion. I indeed intended it for zope-dev. For some reason, I didn't see your mail on zope-dev (I checked the archives too, but they might be lagging). -- Vincent Pelletier
Le mercredi 26 janvier 2011 08:54:02, Vincent Pelletier a écrit :
For some reason, I didn't see your mail on zope-dev
As this mail reached the list, I think Tres' mail got caught by some filter. Original mail was: In publish.py[1], unwrapMethod tried to find what can be used to publish an object. In a site, I had someone create a very-badly-named "func_code" external method in a place accessible by acquisition from every page on the site (this bad by itself, and I corrected it already). This caused unwrapMethod to think it can use any object directly for publishing, because of: elif getattr(unwrapped, 'func_code', None) is not None: break and "unwrapped" is still in an acquisition context. Shouldn't the checks be done on unwrapped (from acquisition context) objects instead, to prevent such stupid mistake to have such a wide impact. I have the intuition that this could even be a security problem, allowing an unexpected object to be called instead of another, but I cannot come out with an example. Do you think there is anything to fix in zope.publisher[2] ? If so, I'll open a bug. [1] http://svn.zope.org/zope.publisher/trunk/src/zope/publisher/publish.py?view=... [2] following Tres' answer, make this "Zope2's mapply" Regards, -- Vincent Pelletier
participants (1)
-
Vincent Pelletier