[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13
Shane Hathaway
shane@zope.com
Tue, 17 Dec 2002 13:30:17 -0500
Chris Withers wrote:
> Update of /cvs-repository/Zope/lib/python/AccessControl
> In directory cvs.zope.org:/tmp/cvs-serv27864/lib/python/AccessControl
>
> Modified Files:
> ZopeGuards.py
> Log Message:
> Collector #685: made security declarations work for python packages
> that are not Zope products.
>
> === Zope/lib/python/AccessControl/ZopeGuards.py 1.12 => 1.13 ===
> --- Zope/lib/python/AccessControl/ZopeGuards.py:1.12 Wed Aug 21 15:47:09 2002
> +++ Zope/lib/python/AccessControl/ZopeGuards.py Tue Dec 17 13:09:48 2002
> @@ -125,6 +125,10 @@
>
> import sys
> def guarded_import(mname, globals={}, locals={}, fromlist=None):
> +
> + # do initial import to give module a chance to make security declarations
> + __import__(mname, globals, locals, fromlist)
> +
> mnameparts = mname.split('.')
> firstmname = mnameparts[0]
> validate = getSecurityManager().validate
Chris, this opens a security hole. You must be careful not to allow
arbitrary imports, even if the attempt would later result in an
Unauthorized error, because importing a module may have undesirable side
effects.
Shane