[Zope] Security on email.Message.Message
Tim Hicks
tim at sitefusion.co.uk
Tue Apr 12 14:20:57 EDT 2005
Tim Hicks said:
> Andreas Jung said:
>
>>> Module RestrictedPython.Guards, line 96, in handler
>>> TypeError: object does not support item or slice assignment
>>>
>>> Does anyone have any idea what the problem is?
>
> Digging further...
>
> I made the TypeError a little more revealing on line 96 of
> RestrictedPython/Guards.py so it now shows the 'secattr' (method) being
> accessed, and its args::
>
> def handler(self, *args):
> try:
> f = getattr(self.ob, secattr)
> except AttributeError:
> raise TypeError, '%s | %s | %s' % (error_msg, secattr,
> str(args))
>
> The value of 'secattr' is apparently '__guarded_setitem__' in my case.
> So, it seems that the email.Message.Message class does not have a
> __guarded_setitem__ on it. This is unsurprising. I assume that it is
> supposed to get added during zope initialisation somewhere, right? Can
> anybody point out where?
Well, I've fixed this with an awful hack. My security assertions now look
like::
from AccessControl import allow_module, allow_class
from AccessControl import ModuleSecurityInfo
def _secure_mapping(klass):
"""XXX Awful hack!!
"""
klass.__guarded_getitem__ = klass.__getitem__
klass.__guarded_setitem__ = klass.__setitem__
klass.__guarded_delitem__ = klass.__delitem__
ModuleSecurityInfo('email.Message').declarePublic('Message')
from email.Message import Message
_secure_mapping(Message)
allow_class(Message)
That gets me to where I want (for now). I'd still love the 'correct'
answer though.
Tim
More information about the Zope
mailing list