[Zope] ZClass : strange behaviour of a lines item in a propertysheet
Casey Duncan
casey@zope.com
Thu, 12 Sep 2002 23:26:40 -0400
That is because you are changing a mutable attribute in place. When the o=
bject=20
is new, this attribute is a class attribute, and changing it will change =
the=20
class. If the attribute has been set to a value it becomes an instance=20
attribute.
Here is an illustration:
>>> class Test:
=2E.. alist =3D []
=2E..
>>> foo =3D Test()
>>> bar =3D Test()
>>> foo.alist.extend([1,2,3]) <-- This changes the class attribute in pl=
ace
>>> bar.alist
[1,2,3]
>>> foo.alist =3D [1,2] <-- This sets an instance attribute
>>> foo.alist.extend([3,4,5]) <-- This changes the inst attribute
>>> bar.alist
[1,2,3]
>>> foo.alist
[1,2,3,4,5]=20
Furthermore, modifying properties this way relies on the implementation d=
etail=20
that properties are stored as direct attributes of objects. This is britt=
le=20
and will probably cause your code to break in later Zope versions (Zope 3=
in=20
particular).
Instead use the (arguably poor) property manager API:
getProperty(name)
manage_changeProperties({name:value})
Or better yet don't use ZClasses and property sheets at all and invent yo=
ur=20
own API.=20
As to whether this is a security hole, its just data, not code. Given the=
=20
implementation I don't see a good way around it, other than somehow=20
forbidding Python scripts to change class attributes. How you would do th=
at I=20
don't know.
hth,
-Casey
On Thursday 12 September 2002 04:04 pm, Gilles Lenfant wrote:
> Hi Zopistas,
>=20
> I'm making a ZClass with a "lines" property in a propertysheet.
> I add items in that list with a python script in the methods of that ZC=
lass:
>=20
> mylist =3D container.list_links
> ...
> mylist.extend(items)
>=20
> The stange thing is that sometimes, the items are appended to the list_=
links
> property of the object (that's OK), and other times - in an untimely
> manner - the items are appended TO THE PROPERTY DEFINITION IN THE ZCLAS=
S
> ITSELF !!!!!
>=20
> Is it a Zope bug ? Has an object has the ability to modify its own clas=
s
> !!!! In that case, it's a big security issue!
>=20
> This has been noticed on a Win32/Zope 2.5.1 box. I did'nt yet try on my
> freeBSD box.
>=20
> Any idea ?
>=20
> --Gilles
>=20
>=20
>=20
>=20
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -=20
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>=20