[Zope] Security issue FIXED by installing VerboseSecurity?

Dennis Allison allison at sumeru.stanford.EDU
Wed Mar 24 13:41:21 EST 2004 

I don't think ther verbose security product has yet been ported to 2.7.

On Wed, 24 Mar 2004, Milos Prudek wrote:

> 
> I am trying to move my application from Zope 2.5 to Zope 2.7. There was 
> the security audit, so problems are expected to crop up. But I stumpled 
> across something unexplicable...
> 
> Pretty innocent Python Script gives error "ValueError: unpack list of 
> wrong size". To investigate the error, I installed VerboseSecurity. The 
> error dissappeared. I removed VerboseSecurity. Error appeared. I 
> installed VerboseSecurity again. Error disappeared.
> 
> How is this possible? I did not even set ZOPE_SECURITY_POLICY=PYTHON, 
> because I was not sure if Zope 2.7 reads environment variables. Yet 
> VerboseSecurity "fixed" the error. I don't like this kind of fix... 
> especially since I do not understant it.
> 
> Here's the script in question:
> 
> Dct={}
> Dct['readers'] = context.readers+1
> context.propertysheets.data.manage_changeProperties(Dct)
> 
> It's the third line that caused the error. This script runs "proxy 
> Manager" because it updates a property even if the user is not the owner 
> of the ZClass instance that this script belongs to.
> 
> Here's the traceback:
> 
> Traceback (innermost last):
> 
>      * Module ZPublisher.Publish, line 100, in publish
>      * Module ZPublisher.mapply, line 88, in mapply
>      * Module ZPublisher.Publish, line 40, in call_object
>      * Module OFS.DTMLMethod, line 130, in __call__
>        <DTMLMethod instance at 4187a320>
>        URL: 
> http://localhost:9080/choroby/ucho/skalni/obecne/1/index_html_top/manage_main
>        Physical Path:/www.orl.cz/choroby/ucho/skalni/obecne/1/index_html_top
>      * Module DocumentTemplate.DT_String, line 474, in __call__
>      * Module Shared.DC.Scripts.Bindings, line 320, in 
> __render_with_namespace__
>      * Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
>      * Module Products.PythonScripts.PythonScript, line 318, in _exec
>      * Module None, line 3, in inc_readers
>        <PythonScript at 
> /www.orl.cz/choroby/ucho/skalni/obecne/1/inc_readers>
>        Line 3
>      * Module AccessControl.Owned, line 123, in getWrappedOwner
> 
> ValueError: unpack list of wrong size
> 
> -- 
> Milos Prudek
> _________________
> Most websites are
> confused chintzy gaudy conflicting tacky unpleasant... unusable.
> Learn how usable YOUR website is! http://www.spoxdesign.com
> 
> 
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>

More information about the Zope mailing list