[Zope-dev] Security audit introduced problem in
PageTemplates/Expression.py
Stuart Bishop
stuart at stuartbishop.net
Tue Jan 13 00:19:56 EST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:
***************
*** 312,318 ****
# Skip directly to item access
o = object[name]
# Check access to the item.
! if not validate(object, object, name, o):
raise Unauthorized, name
object = o
continue
- --- 307,313 ----
# Skip directly to item access
o = object[name]
# Check access to the item.
! if not validate(object, object, None, o):
raise Unauthorized, name
object = o
continue
***************
*** 367,373 ****
raise
else:
# Check access to the item.
! if not validate(object, object, name, o):
raise Unauthorized, name
object = o
- --- 362,368 ----
raise
else:
# Check access to the item.
! if not validate(object, object, None, o):
raise Unauthorized, name
object = o
This has the side effect of not passing the name attribute to
my security assertion methods registered via
ClassSecurityInfo.setDefaultAccess:
class Foo(blah, blah, blah):
security = ClassSecurityInfo()
def _checkAccess(self, name, value):
if name.startswith('CG'):
return 1
return 0
security.setDefaultAccess(_checkAccess)
def __getitem__(self, key):
''' Access via dictionary interface, with security
provided via _checkAccess
'''
return 'example'
Reversing the changes to Expression.py seems to break lots of
things (including SiteErrorLog), so I'm sure this is much more
involved.
Can anyone shed light onto what is going on?
- --
Stuart Bishop <stuart at stuartbishop.net>
http://www.stuartbishop.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAA4AFAfqZj7rGN0oRArWMAJ96sb9wKkx9qqstiB+78cZ1LrtW8ACggNX8
+uCQkzQGvbgIzW8Sb4C9kAE=
=7xyW
-----END PGP SIGNATURE-----
More information about the Zope-Dev
mailing list