[Zope] ZClass : strange behaviour of a lines item in a propertysheet

Casey Duncan casey@zope.com
Thu, 12 Sep 2002 23:26:40 -0400


That is because you are changing a mutable attribute in place. When the o=
bject=20
is new, this attribute is a class attribute, and changing it will change =
the=20
class. If the attribute has been set to a value it becomes an instance=20
attribute.

Here is an illustration:

>>> class Test:
=2E..    alist =3D []
=2E..
>>> foo =3D Test()
>>> bar =3D Test()
>>> foo.alist.extend([1,2,3])  <-- This changes the class attribute in pl=
ace
>>> bar.alist
[1,2,3]
>>> foo.alist =3D [1,2] <-- This sets an instance attribute
>>> foo.alist.extend([3,4,5]) <-- This changes the inst attribute
>>> bar.alist
[1,2,3]
>>> foo.alist
[1,2,3,4,5]=20

Furthermore, modifying properties this way relies on the implementation d=
etail=20
that properties are stored as direct attributes of objects. This is britt=
le=20
and will probably cause your code to break in later Zope versions (Zope 3=
 in=20
particular).

Instead use the (arguably poor) property manager API:

getProperty(name)
manage_changeProperties({name:value})

Or better yet don't use ZClasses and property sheets at all and invent yo=
ur=20
own API.=20

As to whether this is a security hole, its just data, not code. Given the=
=20
implementation I don't see a good way around it, other than somehow=20
forbidding Python scripts to change class attributes. How you would do th=
at I=20
don't know.

hth,

-Casey

On Thursday 12 September 2002 04:04 pm, Gilles Lenfant wrote:
> Hi Zopistas,
>=20
> I'm making a ZClass with a "lines" property in a propertysheet.
> I add items in that list with a python script in the methods of that ZC=
lass:
>=20
> mylist =3D container.list_links
> ...
> mylist.extend(items)
>=20
> The stange thing is that sometimes, the items are appended to the list_=
links
> property of the object (that's OK), and other times - in an untimely
> manner - the items are appended TO THE PROPERTY DEFINITION IN THE ZCLAS=
S
> ITSELF !!!!!
>=20
> Is it a Zope bug ? Has an object has the ability to modify its own clas=
s
> !!!! In that case, it's a big security issue!
>=20
> This has been noticed on a Win32/Zope 2.5.1 box. I did'nt yet try on my
> freeBSD box.
>=20
> Any idea ?
>=20
> --Gilles
>=20
>=20
>=20
>=20
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -=20
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>=20