[Zope] Security issue FIXED by installing VerboseSecurity?

Milos Prudek prudek at bvx.cz
Wed Mar 24 13:12:35 EST 2004 

I am trying to move my application from Zope 2.5 to Zope 2.7. There was 
the security audit, so problems are expected to crop up. But I stumpled 
across something unexplicable...

Pretty innocent Python Script gives error "ValueError: unpack list of 
wrong size". To investigate the error, I installed VerboseSecurity. The 
error dissappeared. I removed VerboseSecurity. Error appeared. I 
installed VerboseSecurity again. Error disappeared.

How is this possible? I did not even set ZOPE_SECURITY_POLICY=PYTHON, 
because I was not sure if Zope 2.7 reads environment variables. Yet 
VerboseSecurity "fixed" the error. I don't like this kind of fix... 
especially since I do not understant it.

Here's the script in question:

Dct={}
Dct['readers'] = context.readers+1
context.propertysheets.data.manage_changeProperties(Dct)

It's the third line that caused the error. This script runs "proxy 
Manager" because it updates a property even if the user is not the owner 
of the ZClass instance that this script belongs to.

Here's the traceback:

Traceback (innermost last):

     * Module ZPublisher.Publish, line 100, in publish
     * Module ZPublisher.mapply, line 88, in mapply
     * Module ZPublisher.Publish, line 40, in call_object
     * Module OFS.DTMLMethod, line 130, in __call__
       <DTMLMethod instance at 4187a320>
       URL: 
http://localhost:9080/choroby/ucho/skalni/obecne/1/index_html_top/manage_main
       Physical Path:/www.orl.cz/choroby/ucho/skalni/obecne/1/index_html_top
     * Module DocumentTemplate.DT_String, line 474, in __call__
     * Module Shared.DC.Scripts.Bindings, line 320, in 
__render_with_namespace__
     * Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
     * Module Products.PythonScripts.PythonScript, line 318, in _exec
     * Module None, line 3, in inc_readers
       <PythonScript at 
/www.orl.cz/choroby/ucho/skalni/obecne/1/inc_readers>
       Line 3
     * Module AccessControl.Owned, line 123, in getWrappedOwner

ValueError: unpack list of wrong size

-- 
Milos Prudek
_________________
Most websites are
confused chintzy gaudy conflicting tacky unpleasant... unusable.
Learn how usable YOUR website is! http://www.spoxdesign.com

More information about the Zope mailing list