[Zope-dev] ZClass class attr security?
Casey Duncan
casey_duncan@yahoo.com
Fri, 23 Feb 2001 10:19:28 -0800 (PST)
In playing around with some ideas for enhancing
ZClasses, I stumbled into the following:
Using getClassAttr, you can retrieve any attribute of
the Python ZClass including built-in ones like:
icon
_p_changed
__doc__
_p_oid
meta_type
propertysheets
manage_options
__ac_permissions__
_p_serial
__module__
_p_jar
Somewhat more troubling is the fact that I can change
these values using setClassAttr, possibly hosing
things quite well. I don't know if this is a security
flaw, but it looks kinda iffy to me, especially
__ac_permissions__.
This is a consequence of the fact that these user
defined attributes are stored as straight class
attributes. Perhaps they need to be stored in a
dictionary in the ZClass, although this will
unfortunately complicate inheritance. At the least,
access to methods named _* should be restricted. I
will write a patch for this if it is deemed necessary.
Thoughts anyone?
=====
| Casey Duncan
| Kaivo, Inc.
| cduncan@kaivo.com
`----------------->
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/