Security Assertions
Casey Duncan wrote:
So the following things don't work:
from Products.Formulator.Form import FormValidationError
Either Martijn or you need to add the following lines to a Product __init__.py somewhere:
from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('Formulator') ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError')
Cheers,
Evan @ Zope
I added the above code in the corresponding __init__.py on my machine. Which works almost perfectly...: Further, I needed to be able to import : from Products.gvibDA.gvib.gvibExceptions import IntegrityError So I added the following code in gvibDA's __init__.py from Products.PythonScripts.Utility import allow_module, allow_class from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from Globals import InitializeClass ModuleSecurityInfo('Products').declarePublic('gvibDA') ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib') ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions') ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError') from gvib.gvibExceptions import IntegrityError allow_class(IntegrityError) I get an 'Unauthorized: Formulator' error when accessing a script beginning with from Products.Formulator.Form import FormValidationError from Products.gvibDA.gvib.gvibExceptions import IntegrityError I suppose it has something to do with the creation of two instances of ModuleSecurityInfo('Products') but have no idea how to correct the problem. Any help would be appreciated. -- Godefroid Chapelle BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium Tel + 32 (10) 459901 Mob + 32 (477) 363942 TVA 467 093 008 RC Niv 49849
Note that up until Zope 2.5.0b4 there is a bug in the way module security assertions are handled that makes it impossible to declare more than one assertion without overwriting a previous assertion. It's not really a "security hole", it's just annoying and clearly broken. I'd suggest that you complain about this (or do it yourself) if you think a monkeypatch is in order for Zope 2.3/2.4. Godefroid Chapelle wrote:
Casey Duncan wrote:
So the following things don't work:
from Products.Formulator.Form import FormValidationError
Either Martijn or you need to add the following lines to a Product __init__.py somewhere:
from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('Formulator') ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError')
Cheers,
Evan @ Zope
I added the above code in the corresponding __init__.py on my machine.
Which works almost perfectly...:
Further, I needed to be able to import :
from Products.gvibDA.gvib.gvibExceptions import IntegrityError
So I added the following code in gvibDA's __init__.py
from Products.PythonScripts.Utility import allow_module, allow_class from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from Globals import InitializeClass
ModuleSecurityInfo('Products').declarePublic('gvibDA') ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib') ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions') ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError')
from gvib.gvibExceptions import IntegrityError
allow_class(IntegrityError)
I get an 'Unauthorized: Formulator' error when accessing a script beginning with
from Products.Formulator.Form import FormValidationError
from Products.gvibDA.gvib.gvibExceptions import IntegrityError
I suppose it has something to do with the creation of two instances of ModuleSecurityInfo('Products') but have no idea how to correct the problem.
Any help would be appreciated.
--
Godefroid Chapelle
BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium
Tel + 32 (10) 459901 Mob + 32 (477) 363942
TVA 467 093 008 RC Niv 49849
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
At 18:43 16/01/2002, you wrote: Sorry about cross-posting but I think the following info is worth reading for both zope-users and developers.
Note that up until Zope 2.5.0b4 there is a bug in the way module security assertions are handled that makes it impossible to declare more than one assertion without overwriting a previous assertion. It's not really a "security hole", it's just annoying and clearly broken. I'd suggest that you complain about this (or do it yourself) if you think a monkeypatch is in order for Zope 2.3/2.4.
I went to CVS and read AccessControl.SecurityInfo.py The code looked simple enough that I would take no risk by including it even if my understanding of the inner-working of Zope is still elementary. The following patch works to correct the problem for Zope 2.3.3. It does not seem to cause any other problem. # patch taken from Zope 2.5 from string import rfind # 1.5.2 syntax def ModuleSecurityInfo(module_name=None): if module_name is not None: modsec = _moduleSecurity.get(module_name, None) if modsec is not None: return modsec dot = rfind(module_name, '.') # 1.5.2 syntax if dot > 0: # If the module is in a package, recursively make sure # there are security declarations for the package steps # leading to the module modname = module_name[dot + 1:] pmodsec = ModuleSecurityInfo(module_name[:dot]) if not pmodsec.names.has_key(modname): pmodsec.declarePublic(modname) return _ModuleSecurityInfo(module_name) class _ModuleSecurityInfo(SecurityInfo): """Encapsulate security information for modules.""" in place of class ModuleSecurityInfo(SecurityInfo): """Encapsulate security information for modules.""" I do not know what you mean by a 'monkeypatch' but it is certainly worth it to add the patch to 2.3.x and 2.4.x branches.
Godefroid Chapelle wrote:
Casey Duncan wrote:
So the following things don't work:
from Products.Formulator.Form import FormValidationError
Either Martijn or you need to add the following lines to a Product __init__.py somewhere:
from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('Formulator') ModuleSecurityInfo('Products.Formulator').declarePublic('Form')
ModuleSecurityInfo('Products.Formulator.Form').declarePublic('FormValidationError')
Cheers,
Evan @ Zope
I added the above code in the corresponding __init__.py on my machine. Which works almost perfectly...: Further, I needed to be able to import : from Products.gvibDA.gvib.gvibExceptions import IntegrityError
So I added the following code in gvibDA's __init__.py from Products.PythonScripts.Utility import allow_module, allow_class from AccessControl import ModuleSecurityInfo, ClassSecurityInfo from Globals import InitializeClass ModuleSecurityInfo('Products').declarePublic('gvibDA') ModuleSecurityInfo('Products.gvibDA').declarePublic('gvib') ModuleSecurityInfo('Products.gvibDA.gvib').declarePublic('gvibExceptions') ModuleSecurityInfo('Products.gvibDA.gvib.gvibExceptions').declarePublic('IntegrityError')
from gvib.gvibExceptions import IntegrityError allow_class(IntegrityError)
I get an 'Unauthorized: Formulator' error when accessing a script beginning with from Products.Formulator.Form import FormValidationError from Products.gvibDA.gvib.gvibExceptions import IntegrityError
I suppose it has something to do with the creation of two instances of ModuleSecurityInfo('Products') but have no idea how to correct the problem. Any help would be appreciated.
--
Godefroid Chapelle BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium Tel + 32 (10) 459901 Mob + 32 (477) 363942 TVA 467 093 008 RC Niv 49849
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Godefroid Chapelle BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium Tel + 32 (10) 459901 Mob + 32 (477) 363942 TVA 467 093 008 RC Niv 49849
I do not know what you mean by a 'monkeypatch' but it is certainly worth it to add the patch to 2.3.x and 2.4.x branches.
Thanks very much for the patch! We don't maintain 2.3.X anymore (at least not that I know of, although somebody probably should). And the 2.4 branch is a little up in the air at the moment. There will be a 2.4.4 to fix crashing issues but I don't know what the policy will be for introducing noncrash bugfixes. 2.5 already has the fix. So... this is why I suggested a monkeypatch. What I meant by "monkeypatch" is ... well, now you made me say it... "hotfix". There, I said it. In other words, a Product that you can download and install that dynamically changes the running code without actually requiring that folks running 2.3.X/2.4.X patch their source code. Note that this is *not* a vulnerability in case anybody gets nervous. It is a bug that has to do with Zope security, but it is not a vulnerability. (That's why I didn't want to use the term "hotfix") You can make a monkey patch by creating code modeled after ZC hotfixes that does some specific set of steps. In this case, you'd probably want to replace the ModuleSecurityInfo class/function with your "fixed" function dynamically. Of course, in this case you'd need a way to arrange that it was among the first Products registered (in order for the other Products to make use of the patched function). I think Products are initialized alphabetically, but may be wrong. ;-( -- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones"
Just a quick note on this point, there are two points during startup when a product can get control: 1) When the __init__.py is imported 2) When the initialize function within that __init__.py is called. These seem to occur quite far apart in terms of loaded modules so to get something done early, do it at import time. If you want a look at another "monkeypatch" type product, take a look at PatchKit http://www.zope.org/Members/haqa/PatchKit . Hope this helps Adrian... -- The difficulty of tactical maneuvering consists in turning the devious into the direct, and misfortune into gain. - Sun Tzu ----- Original Message ----- From: "Chris McDonough" <chrism@zope.com> To: "Godefroid Chapelle" <gotcha@swing.be> Cc: <zope@zope.org>; <zope-dev@zope.org> Sent: Thursday, January 17, 2002 1:50 PM Subject: Re: [Zope-dev] Re: [Zope] Security Assertions
I do not know what you mean by a 'monkeypatch' but it is certainly worth it to add the patch to 2.3.x and 2.4.x branches.
Thanks very much for the patch! We don't maintain 2.3.X anymore (at least not that I know of, although somebody probably should). And the 2.4 branch is a little up in the air at the moment. There will be a 2.4.4 to fix crashing issues but I don't know what the policy will be for introducing noncrash bugfixes. 2.5 already has the fix.
So... this is why I suggested a monkeypatch. What I meant by "monkeypatch" is ... well, now you made me say it... "hotfix". There, I said it. In other words, a Product that you can download and install that dynamically changes the running code without actually requiring that folks running 2.3.X/2.4.X patch their source code.
Note that this is *not* a vulnerability in case anybody gets nervous. It is a bug that has to do with Zope security, but it is not a vulnerability. (That's why I didn't want to use the term "hotfix")
You can make a monkey patch by creating code modeled after ZC hotfixes that does some specific set of steps. In this case, you'd probably want to replace the ModuleSecurityInfo class/function with your "fixed" function dynamically. Of course, in this case you'd need a way to arrange that it was among the first Products registered (in order for the other Products to make use of the patched function). I think Products are initialized alphabetically, but may be wrong. ;-(
-- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones"
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Just a quick note on this point, there are two points during startup when a product can get control: 1) When the __init__.py is imported 2) When the initialize function within that __init__.py is called.
I think Godefroid's case it would definitely want to be in __init__.py *outside* of the initialize() function as it wants to be done at the earliest possible time. - C
participants (3)
-
Adrian Hungate -
Chris McDonough -
Godefroid Chapelle