[Zope-dev] Re: Security audit introduced problem
in PageTemplates/Expression.py
Jim Fulton
jim at zope.com
Fri Jan 16 18:34:17 EST 2004
Jim Fulton wrote:
> Stuart Bishop wrote:
>
...
> It was never intended that the ability to control unprotected sub-objects
> by name would apply to items. It was sloppy coding on my part that item
> indexes
> (yes, indexes, like, say, 1) and keys were passed as names. I can
> certainly
> understand why people looking at the code and trying things out would come
> to the wrong conclusion.
But it would depend on which code they looked at. For example,
in 2.6.2, the key is not passed to validate when traversing using
getitem in unrestrictedTraverse. For this reason, it's brittle to rely on
this, even without the recent security changes.
> Fundamentally, it's wrong to use the same mechanism for attributes and
> item keys or indexes. In the recent security work, we tried to address
> this by not passing the name for for item access. Unfortunately, this broke
> some code. I *think* that there cannot be too many cases of this.
>
> I I'm pretty sure that I can redo the way we protect dictionaries and
> lists so that we can provide backward compatability. If I can do this,
> I will, because backward compatability *is* important, especially for
> bug-fix
> releases.
This is done and checked into the Zope 2.7 branch (Zope-2_7-branch).
Stuart, can you try this out and make sure that your application
works as it did before?
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-Dev
mailing list