[Zope-dev] Security audit introduced problem in PageTemplates/Expression.py

Stuart Bishop stuart at stuartbishop.net
Tue Jan 13 00:19:56 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:

***************
*** 312,318 ****
               # Skip directly to item access
               o = object[name]
               # Check access to the item.
!             if not validate(object, object, name, o):
                   raise Unauthorized, name
               object = o
               continue
- --- 307,313 ----
               # Skip directly to item access
               o = object[name]
               # Check access to the item.
!             if not validate(object, object, None, o):
                   raise Unauthorized, name
               object = o
               continue
***************
*** 367,373 ****
                       raise
                   else:
                       # Check access to the item.
!                     if not validate(object, object, name, o):
                           raise Unauthorized, name
           object = o

- --- 362,368 ----
                       raise
                   else:
                       # Check access to the item.
!                     if not validate(object, object, None, o):
                           raise Unauthorized, name
           object = o


This has the side effect of not passing the name attribute to
my security assertion methods registered via
ClassSecurityInfo.setDefaultAccess:

class Foo(blah, blah, blah):
	security = ClassSecurityInfo()
	def _checkAccess(self, name, value):
		if name.startswith('CG'):
			return 1
		return 0
	security.setDefaultAccess(_checkAccess)

	def __getitem__(self, key):
		''' Access via dictionary interface, with security
			provided via _checkAccess
		'''
		return 'example'

Reversing the changes to Expression.py seems to break lots of
things (including SiteErrorLog), so I'm sure this is much more
involved.

Can anyone shed light onto what is going on?

- --  
Stuart Bishop <stuart at stuartbishop.net>
http://www.stuartbishop.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAA4AFAfqZj7rGN0oRArWMAJ96sb9wKkx9qqstiB+78cZ1LrtW8ACggNX8
+uCQkzQGvbgIzW8Sb4C9kAE=
=7xyW
-----END PGP SIGNATURE-----




More information about the Zope-Dev mailing list