ZClass : strange behaviour of a lines item in a propertysheet
Hi Zopistas, I'm making a ZClass with a "lines" property in a propertysheet. I add items in that list with a python script in the methods of that ZClass: mylist = container.list_links ... mylist.extend(items) The stange thing is that sometimes, the items are appended to the list_links property of the object (that's OK), and other times - in an untimely manner - the items are appended TO THE PROPERTY DEFINITION IN THE ZCLASS ITSELF !!!!! Is it a Zope bug ? Has an object has the ability to modify its own class !!!! In that case, it's a big security issue! This has been noticed on a Win32/Zope 2.5.1 box. I did'nt yet try on my freeBSD box. Any idea ? --Gilles
That is because you are changing a mutable attribute in place. When the object is new, this attribute is a class attribute, and changing it will change the class. If the attribute has been set to a value it becomes an instance attribute. Here is an illustration:
class Test: ... alist = [] ... foo = Test() bar = Test() foo.alist.extend([1,2,3]) <-- This changes the class attribute in place bar.alist [1,2,3] foo.alist = [1,2] <-- This sets an instance attribute foo.alist.extend([3,4,5]) <-- This changes the inst attribute bar.alist [1,2,3] foo.alist [1,2,3,4,5]
Furthermore, modifying properties this way relies on the implementation detail that properties are stored as direct attributes of objects. This is brittle and will probably cause your code to break in later Zope versions (Zope 3 in particular). Instead use the (arguably poor) property manager API: getProperty(name) manage_changeProperties({name:value}) Or better yet don't use ZClasses and property sheets at all and invent your own API. As to whether this is a security hole, its just data, not code. Given the implementation I don't see a good way around it, other than somehow forbidding Python scripts to change class attributes. How you would do that I don't know. hth, -Casey On Thursday 12 September 2002 04:04 pm, Gilles Lenfant wrote:
Hi Zopistas,
I'm making a ZClass with a "lines" property in a propertysheet. I add items in that list with a python script in the methods of that ZClass:
mylist = container.list_links ... mylist.extend(items)
The stange thing is that sometimes, the items are appended to the list_links property of the object (that's OK), and other times - in an untimely manner - the items are appended TO THE PROPERTY DEFINITION IN THE ZCLASS ITSELF !!!!!
Is it a Zope bug ? Has an object has the ability to modify its own class !!!! In that case, it's a big security issue!
This has been noticed on a Win32/Zope 2.5.1 box. I did'nt yet try on my freeBSD box.
Any idea ?
--Gilles
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Many thanks Casey, I fixed the problem thanks your explanations. I thought the list was an instance attr when it's a class attr. --Gilles ----- Original Message ----- From: "Casey Duncan" <casey@zope.com> To: "Gilles Lenfant" <gilles@pilotsystems.net>; <zope@zope.org> Sent: Friday, September 13, 2002 5:26 AM Subject: Re: [Zope] ZClass : strange behaviour of a lines item in a propertysheet That is because you are changing a mutable attribute in place. When the object is new, this attribute is a class attribute, and changing it will change the class. If the attribute has been set to a value it becomes an instance attribute. Here is an illustration:
class Test: ... alist = [] ... foo = Test() bar = Test() foo.alist.extend([1,2,3]) <-- This changes the class attribute in place bar.alist [1,2,3] foo.alist = [1,2] <-- This sets an instance attribute foo.alist.extend([3,4,5]) <-- This changes the inst attribute bar.alist [1,2,3] foo.alist [1,2,3,4,5]
Furthermore, modifying properties this way relies on the implementation detail that properties are stored as direct attributes of objects. This is brittle and will probably cause your code to break in later Zope versions (Zope 3 in particular). Instead use the (arguably poor) property manager API: getProperty(name) manage_changeProperties({name:value}) Or better yet don't use ZClasses and property sheets at all and invent your own API. As to whether this is a security hole, its just data, not code. Given the implementation I don't see a good way around it, other than somehow forbidding Python scripts to change class attributes. How you would do that I don't know. hth, -Casey On Thursday 12 September 2002 04:04 pm, Gilles Lenfant wrote:
Hi Zopistas,
I'm making a ZClass with a "lines" property in a propertysheet. I add items in that list with a python script in the methods of that ZClass:
mylist = container.list_links ... mylist.extend(items)
The stange thing is that sometimes, the items are appended to the list_links property of the object (that's OK), and other times - in an untimely manner - the items are appended TO THE PROPERTY DEFINITION IN THE ZCLASS ITSELF !!!!!
Is it a Zope bug ? Has an object has the ability to modify its own class !!!! In that case, it's a big security issue!
This has been noticed on a Win32/Zope 2.5.1 box. I did'nt yet try on my freeBSD box.
Any idea ?
--Gilles
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (2)
-
Casey Duncan -
Gilles Lenfant