[Zope-dev] Re: [Zope] Security Assertions

Chris McDonough chrism@zope.com
Thu, 17 Jan 2002 08:50:17 -0500


> I do not know what you mean by a 'monkeypatch' but it is certainly worth 
> it to add the patch to 2.3.x and 2.4.x branches.

Thanks very much for the patch!  We don't maintain 2.3.X anymore (at 
least not that I know of, although somebody probably should).  And the 
2.4 branch is a little up in the air at the moment.  There will be a 
2.4.4 to fix crashing issues but I don't know what the policy will be 
for introducing noncrash bugfixes.  2.5 already has the fix.

So... this is why I suggested a monkeypatch.  What I meant by 
"monkeypatch" is ... well, now you made me say it... "hotfix".  There, I 
said it.  In other words, a Product that you can download and install 
that dynamically changes the running code without actually requiring 
that folks running 2.3.X/2.4.X patch their source code.

Note that this is *not* a vulnerability in case anybody gets nervous. 
It is a bug that has to do with Zope security, but it is not a 
vulnerability.  (That's why I didn't want to use the term "hotfix")

You can make a monkey patch by creating code modeled after ZC hotfixes 
that does some specific set of steps.  In this case, you'd probably want 
to replace the ModuleSecurityInfo class/function with your "fixed" 
function dynamically.  Of course, in this case you'd need a way to 
arrange that it was among the first Products registered (in order for 
the other Products to make use of the patched function).  I think 
Products are initialized alphabetically, but may be wrong.  ;-(

-- 
Chris McDonough                    Zope Corporation
http://www.zope.org             http://www.zope.com
"Killing hundreds of birds with thousands of stones"