[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Jim Fulton jim at zope.com
Thu Jan 15 10:03:39 EST 2004


Tres Seaver wrote:
> Stuart Bishop wrote:
> 
>> On 13/01/2004, at 4:19 PM, Stuart Bishop wrote:
>>
>>> The 'security audit work for the 2.7 branch' commit on 8th Jan made
>>> the following change in PageTemplates/Expression.py:
>>
>>
>>
>> As well as in other locations such as ZopeGuards.py.
>>
>> I've opened http://collector.zope.org/Zope/1182 with some
>> example code.

I have trouble following this issue.  I have no idea what
the point of the attached code is.


>> Anyone know if None is being passed as the name in some locations?
>> I don't think it would be helpful for me to go around reversing
>> code changed by a security audit without some background.
> 
> 
> I committed that change, but didn't do the original work.  I did have a 
> discussion with Jim which touched on it:  the purpose of the change was 
> to make access via '__getitem__' homogenous across all keys / indexes, 
> because (as we thought, anyway) there was not any reasonable use case 
> for heterogenous access.

Right. The name attribute was intended for attribute-based access.

IMO, it makes no sense to consider key values when doing security
checks.

> I will let Jim comment on your use case.

What use case?  I missed it. Where is it?

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org





More information about the Zope-Dev mailing list