[ZCM] [ZC] 685/ 5 Comment "Security problems importing from python package."

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin@zope.org
Tue, 17 Dec 2002 14:37:36 -0500 

Issue #685 Update (Comment) "Security problems importing from python package."
 Status Resolved, Zope/bug medium
To followup, visit:
  http://collector.zope.org/Zope/685

==============================================================
= Comment - Entry #5 by chrisw on Dec 17, 2002 2:37 pm

Just to note that Shane has some concerns about the solution. I've left the current solution as is, pending a better solution being put forward.
________________________________________
= Resolve - Entry #4 by chrisw on Dec 17, 2002 1:11 pm

 Status: Pending => Resolved

This is now fixed on 2.6 branch and HEAD.
________________________________________
= Comment - Entry #3 by chrisw on Nov 25, 2002 11:29 am

Clemens Robbenhaar wrote:
> 
>   I did just now run into a similar problem, and may offer the following
> explanation after some debugging:
> 
>  It seems the 'allow_module', etc, gets not executed by Zope in advance,
> except if this is the __init__.py of a 'Product', or this module is
> imported by some core module or product. This is quite standard python
> behaviour; the module is not initialized before import, and Zope does
> some extra work to initialize all products on startup.
> 
>  If one tries to import the code from a python script, the security
> machinery first check, if the module has some security info, and imports
> it afterwards, if the info is found. But as the module is not imported
> anyway, it is not initialized, and has not such info and thus will not
> be allowed for import. 

This strikes me as a bug.

Zope should try and import the module before checking it's security declarations, otherwise the module has no opportunity to perform its security declarations.

Where should this importing be done?

________________________________________
= Edit - Entry #2 by chrisw on Nov 21, 2002 7:20 am

 Changes: submitter email, revised title
________________________________________
= Request - Entry #1 by chrisw on Nov 21, 2002 7:20 am

I'm trying to get stripogram working from Script(Pythons).

Now, all I should need to do is add the following to the stripogram/__init__.py:

  ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')

This doesn't work!

In order to get the following test to pass:

  from Products.PythonScripts.PythonScript import PythonScript
  theScript = PythonScript('test')
  theScript.ZBindings_edit({})
  theScript.write("from stripogram import html2text\nreturn 
html2text('<i>hello</i>')")
  theScript._makeFunction()
  self.assertEqual(theScript(),'hello')

I also have to add:

  ModuleSecurityInfo('stripogram').declareObjectPublic()

Why?

Now, the following Script (Python) created through the ZMI:

  from stripogram import html2text

...will always result in:

  Error Type: ImportError
Error Value: import of "stripogram" is unauthorized

   File \lib\python\Products\PythonScripts\PythonScript.py, line 302, in _exec
     (Object: tester)
     (Info: ({'script': <PythonScript instance at 012CB4D8>, 'context': 
<Application instance at 012B92D8>, 'container': <Application instance at 
012B92D8>, 'traverse_subpath': []}, (), {}, None))
   File Script (Python), line 1, in tester
   File \lib\python\AccessControl\ZopeGuards.py, line 153, in guarded_import
ImportError: (see above)

Even if I add the following to stripogram/__init__.py:

     allow_module('stripogram')

Why doesn't this code behave as advertised in
Products/PythonScripts/module_access_examples.py?

==============================================================