[Zope] ZClass : strange behaviour of a lines item in a propertysheet

Gilles Lenfant gilles@pilotsystems.net
Fri, 13 Sep 2002 12:41:32 +0200


Many thanks Casey,

I fixed the problem thanks your explanations.
I thought the list was an instance attr when it's a class attr.

--Gilles

----- Original Message -----
From: "Casey Duncan" <casey@zope.com>
To: "Gilles Lenfant" <gilles@pilotsystems.net>; <zope@zope.org>
Sent: Friday, September 13, 2002 5:26 AM
Subject: Re: [Zope] ZClass : strange behaviour of a lines item in a
propertysheet


That is because you are changing a mutable attribute in place. When the
object
is new, this attribute is a class attribute, and changing it will change the
class. If the attribute has been set to a value it becomes an instance
attribute.

Here is an illustration:

>>> class Test:
...    alist = []
...
>>> foo = Test()
>>> bar = Test()
>>> foo.alist.extend([1,2,3])  <-- This changes the class attribute in place
>>> bar.alist
[1,2,3]
>>> foo.alist = [1,2] <-- This sets an instance attribute
>>> foo.alist.extend([3,4,5]) <-- This changes the inst attribute
>>> bar.alist
[1,2,3]
>>> foo.alist
[1,2,3,4,5]

Furthermore, modifying properties this way relies on the implementation
detail
that properties are stored as direct attributes of objects. This is brittle
and will probably cause your code to break in later Zope versions (Zope 3 in
particular).

Instead use the (arguably poor) property manager API:

getProperty(name)
manage_changeProperties({name:value})

Or better yet don't use ZClasses and property sheets at all and invent your
own API.

As to whether this is a security hole, its just data, not code. Given the
implementation I don't see a good way around it, other than somehow
forbidding Python scripts to change class attributes. How you would do that
I
don't know.

hth,

-Casey

On Thursday 12 September 2002 04:04 pm, Gilles Lenfant wrote:
> Hi Zopistas,
>
> I'm making a ZClass with a "lines" property in a propertysheet.
> I add items in that list with a python script in the methods of that
ZClass:
>
> mylist = container.list_links
> ...
> mylist.extend(items)
>
> The stange thing is that sometimes, the items are appended to the
list_links
> property of the object (that's OK), and other times - in an untimely
> manner - the items are appended TO THE PROPERTY DEFINITION IN THE ZCLASS
> ITSELF !!!!!
>
> Is it a Zope bug ? Has an object has the ability to modify its own class
> !!!! In that case, it's a big security issue!
>
> This has been noticed on a Win32/Zope 2.5.1 box. I did'nt yet try on my
> freeBSD box.
>
> Any idea ?
>
> --Gilles
>
>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>