[Zope-dev] strange priv leak
Shane Hathaway
shane@zope.com
Mon, 19 May 2003 12:34:44 -0400
Jamie Heilman wrote:
> Lately I've been noticing that http://host/zopeobject/manage_options
> is accessible TTW with no priveleges. Unless I'm on crack, wasn't
> always like this. I've been trying to figure out what changed and the
> only thing I can discern is is that may be related to using python
> 2.2. I've seen it happen with 2.6.1 & python 2.2, and I've seen it
> happen with HEAD & python 2.2, but never 2.6.1 & python 2.1.3. Can
> anyone else corroborate this? Even better does anyone else know how
> to fix it? I'm wondering if there's more hanging out in the open than
> just some attributes here and there.
You've uncovered an important difference between Python 2.1 and Python
2.2. Built-in objects now have docstrings. That means Zope running on
Python 2.2 currently reveals a lot more TTW than Python 2.1 did. It's a
good thing we haven't make Python 2.2 support official yet.
(Python 2.1.3)
>>> ().__doc__
Traceback (most recent call last):
File "<stdin>", line 1, in ?
AttributeError: 'tuple' object has no attribute '__doc__'
(Python 2.2.2)
>>> ().__doc__
"tuple() -> an empty tuple\ntuple(sequence) -> tuple initialized from
sequence's items\n\nIf the argument is a tuple, the return value is the
same object."
The same thing changed for integers and strings (and probably all other
built-in types). The __doc__ check has always been hackish anyway. Ideas?
Shane