[Zope-Checkins] CVS: Zope/lib/python/OFS - PropertyManager.py:1.46.6.7 PropertySheets.py:1.87.6.5

[Tres Seaver]

Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv734/lib/python/OFS

Modified Files:
      Tag: Zope-2_6-branch
	PropertyManager.py PropertySheets.py 
Log Message:


  - Some property types were stored in a mutable data type (list) which 
    could potentially allow untrusted code to effect changes on those 
    properties without going through appropriate security checks in 
    particular scenarios.



=== Zope/lib/python/OFS/PropertyManager.py 1.46.6.6 => 1.46.6.7 ===
--- Zope/lib/python/OFS/PropertyManager.py:1.46.6.6	Sat Jun  7 11:33:08 2003
+++ Zope/lib/python/OFS/PropertyManager.py	Thu Jan  8 15:32:21 2004
@@ -22,7 +22,7 @@
 from Acquisition import Implicit, aq_base
 from Globals import Persistent
 from cgi import escape
-
+from types import ListType
 
 
 class PropertyManager(ExtensionClass.Base, ZDOM.ElementWithAttributes):
@@ -156,6 +156,8 @@
 
     def _setPropValue(self, id, value):
         self._wrapperCheck(value)
+        if type(value) == ListType:
+            value = tuple(value)
         setattr(self,id,value)
 
     def _delPropValue(self, id):


=== Zope/lib/python/OFS/PropertySheets.py 1.87.6.4 => 1.87.6.5 ===
--- Zope/lib/python/OFS/PropertySheets.py:1.87.6.4	Tue Oct 21 11:35:10 2003
+++ Zope/lib/python/OFS/PropertySheets.py	Thu Jan  8 15:32:21 2004
@@ -15,7 +15,7 @@
 
 __version__='$Revision$'[11:-2]
 
-import time,  App.Management, Globals
+import time,  App.Management, Globals, sys
 from webdav.WriteLockInterface import WriteLockInterface
 from ZPublisher.Converters import type_converters
 from Globals import DTMLFile, MessageDialog
@@ -29,7 +29,7 @@
 from AccessControl import getSecurityManager
 from webdav.common import isDavCollection
 from cgi import escape
-
+from types import ListType
 
 # DM: we would like to import this from somewhere
 BadRequestException= 'Bad Request'
@@ -213,6 +213,10 @@
             prop['select_variable']=value
             if type=='selection': value=None
             else: value=[]
+
+        # bleah - can't change kw name in api, so use ugly workaround.
+        if sys.modules['__builtin__'].type(value) == ListType:
+            value = tuple(value)
         setattr(self, id, value)
 
     def _updateProperty(self, id, value, meta=None):
@@ -237,7 +241,11 @@
                 if prop['id']==id: prop['meta']=meta
                 props.append(prop)
             pself._properties=tuple(props)
-        setattr(self.v_self(), id, value)
+
+        # bleah - can't change kw name in api, so use ugly workaround.
+        if type(value) == ListType:
+            value = tuple(value)
+        setattr(self, id, value)
 
     def _delProperty(self, id):
         # Delete the property with the given id. If a property with the