Security issue FIXED by installing VerboseSecurity?
I am trying to move my application from Zope 2.5 to Zope 2.7. There was the security audit, so problems are expected to crop up. But I stumpled across something unexplicable... Pretty innocent Python Script gives error "ValueError: unpack list of wrong size". To investigate the error, I installed VerboseSecurity. The error dissappeared. I removed VerboseSecurity. Error appeared. I installed VerboseSecurity again. Error disappeared. How is this possible? I did not even set ZOPE_SECURITY_POLICY=PYTHON, because I was not sure if Zope 2.7 reads environment variables. Yet VerboseSecurity "fixed" the error. I don't like this kind of fix... especially since I do not understant it. Here's the script in question: Dct={} Dct['readers'] = context.readers+1 context.propertysheets.data.manage_changeProperties(Dct) It's the third line that caused the error. This script runs "proxy Manager" because it updates a property even if the user is not the owner of the ZClass instance that this script belongs to. Here's the traceback: Traceback (innermost last): * Module ZPublisher.Publish, line 100, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 40, in call_object * Module OFS.DTMLMethod, line 130, in __call__ <DTMLMethod instance at 4187a320> URL: http://localhost:9080/choroby/ucho/skalni/obecne/1/index_html_top/manage_mai... Physical Path:/www.orl.cz/choroby/ucho/skalni/obecne/1/index_html_top * Module DocumentTemplate.DT_String, line 474, in __call__ * Module Shared.DC.Scripts.Bindings, line 320, in __render_with_namespace__ * Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec * Module Products.PythonScripts.PythonScript, line 318, in _exec * Module None, line 3, in inc_readers <PythonScript at /www.orl.cz/choroby/ucho/skalni/obecne/1/inc_readers> Line 3 * Module AccessControl.Owned, line 123, in getWrappedOwner ValueError: unpack list of wrong size -- Milos Prudek _________________ Most websites are confused chintzy gaudy conflicting tacky unpleasant... unusable. Learn how usable YOUR website is! http://www.spoxdesign.com
My bad, I discovered in http://zope.org/Products/Zope/2.6.3/zope_2_6_3_announce that VerboseSecurity is simply not supported in Zope 2.6.3+, so I should not have installed it in the first place. Could someone look at the traceback of the original post and point me in the right direction how to fix or debug the error described in the original post? -- Milos Prudek _________________ Most websites are confused chintzy gaudy conflicting tacky unpleasant... unusable. Learn how usable YOUR website is! http://www.spoxdesign.com
To close the issue: The error in my original post is not new. See http://mail.zope.org/pipermail/zope/2004-February/146957.html and Collector issue filed on March 24: http://zope.org/Collectors/Zope/1271 This error unfortunately applies both to Zope 2.6.4 and Zope 2.7.0 -- Milos Prudek
On Thursday 25 March 2004 18:16, Milos Prudek wrote:
To close the issue:
The error in my original post is not new. See http://mail.zope.org/pipermail/zope/2004-February/146957.html
and Collector issue filed on March 24:
http://zope.org/Collectors/Zope/1271
This error unfortunately applies both to Zope 2.6.4 and Zope 2.7.0
disabling the proxy should workaround the problem
This error unfortunately applies both to Zope 2.6.4 and Zope 2.7.0
disabling the proxy should workaround the problem
Disabling the proxy means losing functionality. I need the script to run under Manager so that it can modify an instance it does not own. -- Milos Prudek
I don't think ther verbose security product has yet been ported to 2.7. On Wed, 24 Mar 2004, Milos Prudek wrote:
I am trying to move my application from Zope 2.5 to Zope 2.7. There was the security audit, so problems are expected to crop up. But I stumpled across something unexplicable...
Pretty innocent Python Script gives error "ValueError: unpack list of wrong size". To investigate the error, I installed VerboseSecurity. The error dissappeared. I removed VerboseSecurity. Error appeared. I installed VerboseSecurity again. Error disappeared.
How is this possible? I did not even set ZOPE_SECURITY_POLICY=PYTHON, because I was not sure if Zope 2.7 reads environment variables. Yet VerboseSecurity "fixed" the error. I don't like this kind of fix... especially since I do not understant it.
Here's the script in question:
Dct={} Dct['readers'] = context.readers+1 context.propertysheets.data.manage_changeProperties(Dct)
It's the third line that caused the error. This script runs "proxy Manager" because it updates a property even if the user is not the owner of the ZClass instance that this script belongs to.
Here's the traceback:
Traceback (innermost last):
* Module ZPublisher.Publish, line 100, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 40, in call_object * Module OFS.DTMLMethod, line 130, in __call__ <DTMLMethod instance at 4187a320> URL: http://localhost:9080/choroby/ucho/skalni/obecne/1/index_html_top/manage_mai... Physical Path:/www.orl.cz/choroby/ucho/skalni/obecne/1/index_html_top * Module DocumentTemplate.DT_String, line 474, in __call__ * Module Shared.DC.Scripts.Bindings, line 320, in __render_with_namespace__ * Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec * Module Products.PythonScripts.PythonScript, line 318, in _exec * Module None, line 3, in inc_readers <PythonScript at /www.orl.cz/choroby/ucho/skalni/obecne/1/inc_readers> Line 3 * Module AccessControl.Owned, line 123, in getWrappedOwner
ValueError: unpack list of wrong size
-- Milos Prudek _________________ Most websites are confused chintzy gaudy conflicting tacky unpleasant... unusable. Learn how usable YOUR website is! http://www.spoxdesign.com
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Bakhtiar A Hamid -
Dennis Allison -
Milos Prudek