[Zope-dev] Re: [Zope] Security Assertions

Adrian Hungate adrian@haqa.co.uk
Thu, 17 Jan 2002 15:06:33 -0000


Just a quick note on this point, there are two points during startup when a
product can get control:
1) When the __init__.py is imported
2) When the initialize function within that __init__.py is called.

These seem to occur quite far apart in terms of loaded modules so to get
something done early, do it at import time.

If you want a look at another "monkeypatch" type product, take a look at
PatchKit http://www.zope.org/Members/haqa/PatchKit .

Hope this helps

Adrian...

--
The difficulty of tactical maneuvering consists in turning the devious into
the direct, and misfortune into gain.
- Sun Tzu


----- Original Message -----
From: "Chris McDonough" <chrism@zope.com>
To: "Godefroid Chapelle" <gotcha@swing.be>
Cc: <zope@zope.org>; <zope-dev@zope.org>
Sent: Thursday, January 17, 2002 1:50 PM
Subject: Re: [Zope-dev] Re: [Zope] Security Assertions


> > I do not know what you mean by a 'monkeypatch' but it is certainly worth
> > it to add the patch to 2.3.x and 2.4.x branches.
>
> Thanks very much for the patch!  We don't maintain 2.3.X anymore (at
> least not that I know of, although somebody probably should).  And the
> 2.4 branch is a little up in the air at the moment.  There will be a
> 2.4.4 to fix crashing issues but I don't know what the policy will be
> for introducing noncrash bugfixes.  2.5 already has the fix.
>
> So... this is why I suggested a monkeypatch.  What I meant by
> "monkeypatch" is ... well, now you made me say it... "hotfix".  There, I
> said it.  In other words, a Product that you can download and install
> that dynamically changes the running code without actually requiring
> that folks running 2.3.X/2.4.X patch their source code.
>
> Note that this is *not* a vulnerability in case anybody gets nervous.
> It is a bug that has to do with Zope security, but it is not a
> vulnerability.  (That's why I didn't want to use the term "hotfix")
>
> You can make a monkey patch by creating code modeled after ZC hotfixes
> that does some specific set of steps.  In this case, you'd probably want
> to replace the ModuleSecurityInfo class/function with your "fixed"
> function dynamically.  Of course, in this case you'd need a way to
> arrange that it was among the first Products registered (in order for
> the other Products to make use of the patched function).  I think
> Products are initialized alphabetically, but may be wrong.  ;-(
>
> --
> Chris McDonough                    Zope Corporation
> http://www.zope.org             http://www.zope.com
> "Killing hundreds of birds with thousands of stones"
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>