[Zope-dev] Security problems importing from python package.
Chris Withers
chrisw@nipltd.com
Thu, 21 Nov 2002 12:16:09 +0000
Hi,
I'm trying to get stripogram working from Script(Pythons). I thought I had it,
but it appears I don't.
I added the following in the __init__.py of the stripogram package:
try:
from AccessControl import ModuleSecurityInfo,allow_module
except ImportError:
# no Zope around
raise
else:
allow_module('stripogram')
ModuleSecurityInfo('stripogram').declareObjectPublic()
ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')
I don't think either the allow_module or the declareObjectPublic() should be
necessary. However, the declareObjectPublic at least made this test pass:
from Products.PythonScripts.PythonScript import PythonScript
theScript = PythonScript('test')
theScript.ZBindings_edit({})
theScript.write("from stripogram import html2text\nreturn
html2text('<i>hello</i>')")
theScript._makeFunction()
self.assertEqual(theScript(),'hello')
But even adding the 'allow_module' won't let the following Script (Python)
created through the ZMI work:
from stripogram import html2text
The error I get is:
Error Type: ImportError
Error Value: import of "stripogram" is unauthorized
File \lib\python\Products\PythonScripts\PythonScript.py, line 302, in _exec
(Object: tester)
(Info: ({'script': <PythonScript instance at 012CB4D8>, 'context':
<Application instance at 012B92D8>, 'container': <Application instance at
012B92D8>, 'traverse_subpath': []}, (), {}, None))
File Script (Python), line 1, in tester
File \lib\python\AccessControl\ZopeGuards.py, line 153, in guarded_import
ImportError: (see above)
What am I doing wrong? Why doesn't this code behave as advertised in
Products/PythonScripts/module_access_examples.py?
cheers,
Chris