Object's lines properties break code in Zope264rc2
An object with lines properties in Zope264rc2 returns a tuple, while in Zope261 it returns a list. I haven't found information about this, neither in the 264rc2's changes log nor within this list. Is it a bug or a new feature? Ausum
An object with lines properties in Zope264rc2 returns a tuple, while in Zope261 it returns a list. I haven't found information about this, neither in the 264rc2's changes log nor within this list. Is it a bug or a new feature?
It is a bug fix / security fix. Storing properties in lists is bad because lists are mutable and cannot be protected directly using security assertions. Theoretically, an evil- intentioned scripter could change a property if it is stored as a list (though they'd have to find some way to force the persistent state of the parent object to be saved for the change to be saved). Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com
---- Original Message ----- From: "Brian Lloyd" <brian@zope.com>
An object with lines properties in Zope264rc2 returns a tuple, while in Zope261 it returns a list. I haven't found information about this, neither in the 264rc2's changes log nor within this list. Is it a bug or a new feature?
It is a bug fix / security fix. Storing properties in lists is bad because lists are mutable and cannot be protected directly using security assertions. ...
I used to use that as a feature, though I agree that it can also be a potential security breach. Maybe it's worth the pain to put that as a configurable feature in z2.py, and the new standard as default. Otherwise I'm afraid I'll have a rewriting weekend. Does this break code to anyone else? Ausum
... Theoretically, an evil- intentioned scripter could change a property if it is stored as a list (though they'd have to find some way to force the persistent state of the parent object to be saved for the change to be saved).
Brian Lloyd brian@zope.com V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com
Ausum Studio wrote:
An object with lines properties in Zope264rc2 returns a tuple, while in Zope261 it returns a list. I haven't found information about this, neither in the 264rc2's changes log nor within this list. Is it a bug or a new feature?
It is a bug fix / security fix. Storing properties in lists is bad because lists are mutable and cannot be protected directly using security assertions. ...
I used to use that as a feature, though I agree that it can also be a potential security breach. Maybe it's worth the pain to put that as a configurable feature in z2.py, and the new standard as default.
Otherwise I'm afraid I'll have a rewriting weekend. Does this break code to anyone else?
Won't 'list(prop)' work? Or are you trying to change the property's contents in place? Even so, it's not hard to fix. --jcc -- "He who fights with monsters should look to it that he himself does not become a monster. And when you gaze long into an abyss the abyss also gazes into you."
participants (3)
-
Ausum Studio -
Brian Lloyd -
J Cameron Cooper