[Zope-dev] Re: 2.7.0-b2 - Critical ZPT TAL bug when
using content-type text/xml
Richard Waid
richard at iopen.net
Mon Sep 22 18:33:12 EDT 2003
Evan Simpson wrote:
> Until cAccessControl.c is fixed, you can work around the problem with a
> simple patch to Products/PageTemplates/Expressions.py, in
> restrictedTraverse():
>
> if isinstance(name, TupleType):
> object = object(*name)
> continue
> +
> + name = str(name)
> if not name or name[0] == '_':
> # Skip directly to item access
Thanks Evan (definitely a better idea that turning off guarded_getattr
anyway :)). Any hunches why it doesn't happen in 2.6.x? (maybe the xml
didn't get converted to unicode?)
I'd imagine that it's probably quite a pervasive bug -- comparing two
strings is obviously quite a common situation ... just turned up by this
particular situation. Just a quick grep turns up 50 instances of
PyString_Check in the 2.7.0-b2 source, and 4 instances of PyUnicode_Check.
cDocumentTemplate.c and UnicodeSplitter.c (no suprises there) seem to
do the right thing. Pretty much every other c file needs to be checked.
In particular cPersistence.c, cPickleCache.c, Acquisition.c,
ComputedAttribute.c, ExtensionClass.c and cAccessControl.c all use
PyString_Check, and they'd obviously be bad places for things to go wrong :)
Best regards,
Richard Waid
Network/Software Engineer
http://iopen.net
More information about the Zope-Dev
mailing list