[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Stuart Bishop stuart at stuartbishop.net
Mon Jan 19 00:13:22 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 17/01/2004, at 10:34 AM, Jim Fulton wrote:

>> I I'm pretty sure that I can redo the way we protect dictionaries and
>> lists so that we can provide backward compatability.  If I can do 
>> this,
>> I will, because backward compatability *is* important, especially for 
>> bug-fix
>> releases.
>
> This is done and checked into the Zope 2.7 branch (Zope-2_7-branch).
>
> Stuart, can you try this out and make sure that your application
> works as it did before?

All appears to be working as before. If this is definitely
deprecated, I'll note that in AccessControl.py.

I don't have a problem with deprecating this feature if it makes
the Zope code saner - I was only using it because it was there
and did what I wanted.

I don't particularly like the idea of this mechanism working
for getattr access but not for getitem access. I've always
tended to stick with using getitem over getattr, partly as a
holdover from when it was incredibly painful to mix getattr
overrides with ExtensionClass, and partly because you are less
likely to recursively shoot yourself in the foot. Indeed - an
argument could be made for deprecating getattr in favor of
getitem, as the latter could make use of Unicode keys if Zope's
traversal mechanisms were updated to cope.

- --  
Stuart Bishop <stuart at stuartbishop.net>
http://www.stuartbishop.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAC2d1AfqZj7rGN0oRAjPWAJ0VHsN8Rptk21xf90EyXTk5abgWiACeKZXM
l6yznxwTidlY2vooA9b+o0s=
=xCpW
-----END PGP SIGNATURE-----




More information about the Zope-Dev mailing list