Leaking HTTP requests (was: RE: [Zope]
LeakingAcquisition.ImplicitAcquirerWrapper)
Chris McDonough
chrism at plope.com
Thu May 13 17:50:23 EDT 2004
Tres and me were playing around with this a little and the easiest way
to provoke a REQUEST leak is to do an anonymous request to a resource
inside a subfolder where the subfolder has all permission acquisition
turned off (and only "authenticated" granted view access). It will turn
around and try to run "standard_error_message", which will fail due to
security (and leak in the process). The code responsible for this is
SimpleItem.raise_standardErrorMessage, which does some funky passing
around/munging of traceback objects. However,
"raise_standardErrorMessage" never gets called if
"standard_error_message" doesn't exist in the acquisition path. If it
never gets called, the leak does not occur.
The simplest way to rid yourself of the leak temporarily is to remove
"standard_error_message".
On Thu, 2004-05-13 at 17:41, Brian Lloyd wrote:
> Zope.org doesn't use Localizer (or Archetypes - another thing
> that has come up in this thread).
>
> In our experience, this sort of thing has almost always turned
> out to be a wrapped object ending up in the REQUEST or a wrapped
> object holding onto a request for some reason.
>
> I've attached a quick product you can drop in to test that
> theory on your own instance (just make a directory
> Products/LeakBGone and drop this __init__.py into it and
> restart).
>
> If it fixes the leak, we can extend it to do some logging and
> try to figure out the root cause. I'll try it out on zope.org
> as soon as I'm able.
>
>
> Brian Lloyd brian at zope.com
> V.P. Engineering 540.361.1716
> Zope Corporation http://www.zope.com
>
>
> > -----Original Message-----
> > From: zope-bounces+brian=zope.com at zope.org
> > [mailto:zope-bounces+brian=zope.com at zope.org]On Behalf Of Stefan H.
> > Holek
> > Sent: Thursday, May 13, 2004 3:14 PM
> > To: Brian Lloyd
> > Cc: Jean-Francois.Doyon at CCRS.NRCan.gc.ca; zope at zope.org
> > Subject: Re: Leaking HTTP requests (was: RE: [Zope]
> > LeakingAcquisition.ImplicitAcquirerWrapper)
> >
> >
> > Does zope.org use Localizer or some type of "global request" patch?
> >
> > Stefan
> >
> >
> > On Donnerstag, Mai 13, 2004, at 21:42 Europe/Vienna, Brian Lloyd wrote:
> >
> > > FWIW - zope.org is suffering hugely from this as well, so
> > > I'm following this thread eagerly ;)
> > --
> > The time has come to start talking about whether the emperor is as well
> > dressed as we are supposed to think he is. /Pete McBreen/
> >
> >
> > _______________________________________________
> > Zope maillist - Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > ** No cross posts or HTML encoding! **
> > (Related lists -
> > http://mail.zope.org/mailman/listinfo/zope-announce
> > http://mail.zope.org/mailman/listinfo/zope-dev )
> >
>
> ______________________________________________________________________
> _______________________________________________
> Zope maillist - Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list