---- Original Message ----- From: "Brian Lloyd" <brian@zope.com>
An object with lines properties in Zope264rc2 returns a tuple, while in Zope261 it returns a list. I haven't found information about this, neither in the 264rc2's changes log nor within this list. Is it a bug or a new feature?
It is a bug fix / security fix. Storing properties in lists is bad because lists are mutable and cannot be protected directly using security assertions. ...
I used to use that as a feature, though I agree that it can also be a potential security breach. Maybe it's worth the pain to put that as a configurable feature in z2.py, and the new standard as default. Otherwise I'm afraid I'll have a rewriting weekend. Does this break code to anyone else? Ausum
... Theoretically, an evil- intentioned scripter could change a property if it is stored as a list (though they'd have to find some way to force the persistent state of the parent object to be saved for the change to be saved).
Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com