[BlueBream] Strange effect with @@view calling

volker jaenisch volker.jaenisch at inqbus.de
Thu Apr 1 14:12:37 EDT 2010


Hi!
Marius Gedminas schrieb:
> (Adding Cc: bluebream at zope.org back)
>   
Sorry. The default reply-to of the ML should be set to avoid this :-)
>   
>> Case A) :
>> -> import pdb; pdb.set_trace()
>> (Pdb) type(self.context)
>> <class 'inqbus.booking.engine.app.BookingEngine'>
>>     
>
> That's weird -- there's no proxy on the context.
>
>   
>> Case B):
>> -> import pdb; pdb.set_trace()
>> (Pdb) type(self.context)
>> <type 'zope.security._proxy._Proxy'>
>> (Pdb) self.context
>> <inqbus.booking.engine.app.BookingEngine object at 0xa3b19ac>
>>
>> OK. This is the problem. But why is there NO security context in Case A?
>>     
>
> In an unrelated thread on zope-dev today I learned that
> z3c.layer.pagelet version 1.0.1 has a security bug where it unwraps
> security proxies from traversed objects.  Are you using that version of
> that package by any chance?
>   
I use
drwxr-xr-x 4 volker volker   4096 30. Mär 17:35 z3c.layer-0.3.1-py2.6.egg
drwxr-xr-x 4 volker volker   4096 30. Mär 17:35 z3c.macro-1.2.1-py2.6.egg
drwxr-xr-x 4 volker volker   4096 30. Mär 17:35 z3c.pagelet-1.2.0-py2.6.egg

which seems far away of the version you are mention.
>
> The default is to be secure -- raise ForbiddenAttribute on any attribute
> access.
>   
Ok. In this case the issue is not only weird it is sort of security hole.

How can I proceed further to identify the problem?
Please guide me what to checks I can perform to shed more light into this.

Best Regards,

Volker



More information about the bluebream mailing list