[Zope-dev] Security still wierd
Michael R. Bernstein
webmaven@lvcm.com
01 Aug 2001 12:51:31 -0700
On 01 Aug 2001 20:12:02 +0200, Dieter Maurer wrote:
>
> Michael R. Bernstein writes:
> >
> > Thanks for the suggestion, but that still isn't it. Would you like to
> > take a look at my code?
>
> Looking at the code is usually not enough for analysing difficult
> behavior (as yours seems to be). I fear, debugging will be necessary.
>
> I don't know, how easy it will be that you can downstrip
> your code in a way that it becomes debuggable in a standard
> installation...
This product is fairly simple. It consists of two classes, one derived
from SimpleItem is a 'container' and uses __getitem__ to traverse into
instances of a second class (derived from item) in a dict. there are
various forms and form processing methods, but *none* of them should be
accessible by default.
I have deliberately not added any security assertions to the classes
beyond what should be neccessary to activate the default policy (deny if
not allowed). If this was working correctly, I would expect no access to
be possible to instances of my Product, it's subobjects, or its
attributes. Since this is not the case, I am becoming more convinced
that something is broken here.
Anyway, if anyone wants to have a crack at the code, I'll send it over.
Thanks,
Michael Bernstein.