[Zope-dev] Security problems importing from python package.

Chris Withers chrisw@nipltd.com
Thu, 21 Nov 2002 12:16:09 +0000


Hi,

I'm trying to get stripogram working from Script(Pythons). I thought I had it, 
but it appears I don't.

I added the following in the __init__.py of the stripogram package:

try:
     from AccessControl import ModuleSecurityInfo,allow_module
except ImportError:
     # no Zope around
     raise
else:
     allow_module('stripogram')
     ModuleSecurityInfo('stripogram').declareObjectPublic()
     ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')

I don't think either the allow_module or the declareObjectPublic() should be 
necessary. However, the declareObjectPublic at least made this test pass:

     from Products.PythonScripts.PythonScript import PythonScript
     theScript = PythonScript('test')
     theScript.ZBindings_edit({})
     theScript.write("from stripogram import html2text\nreturn 
html2text('<i>hello</i>')")
     theScript._makeFunction()
     self.assertEqual(theScript(),'hello')

But even adding the 'allow_module' won't let the following Script (Python) 
created through the ZMI work:

from stripogram import html2text

The error I get is:

  Error Type: ImportError
Error Value: import of "stripogram" is unauthorized

   File \lib\python\Products\PythonScripts\PythonScript.py, line 302, in _exec
     (Object: tester)
     (Info: ({'script': <PythonScript instance at 012CB4D8>, 'context': 
<Application instance at 012B92D8>, 'container': <Application instance at 
012B92D8>, 'traverse_subpath': []}, (), {}, None))
   File Script (Python), line 1, in tester
   File \lib\python\AccessControl\ZopeGuards.py, line 153, in guarded_import
ImportError: (see above)

What am I doing wrong? Why doesn't this code behave as advertised in
Products/PythonScripts/module_access_examples.py?

cheers,

Chris