[Zope-dev] zope.i18messageid
Shane Hathaway
shane at hathawaymix.org
Mon Jul 5 12:57:06 EDT 2010
On 07/02/2010 11:49 AM, Tres Seaver wrote:
> Jim has asserted (but not really explained) that the C extension closes
> some kind of security hole. I don't see any credible attack vector
> myself, but then I no longer believe it worthwhile to devote my own
> energy to defending against malicious TTW programmers.
FWIW, I imagine the problem is that zope.security treats
zope.i18nmessageid as a rock, so if the implementation is in Python, it
probably allows untrusted code to do this:
>>> msg.__setattr__.im_func.func_globals['__builtins__']['__import__']
<built-in function __import__>
I suggest the bug is in zope.security, which should never allow a type
written in Python to be a rock.
Shane
More information about the Zope-Dev
mailing list