[ZCM] [ZC] 685/ 5 Comment "Security problems importing from python package."
Collector: Zope Bugs, Features, and Patches ...
zope-coders-admin@zope.org
Tue, 17 Dec 2002 14:37:36 -0500
Issue #685 Update (Comment) "Security problems importing from python package."
Status Resolved, Zope/bug medium
To followup, visit:
http://collector.zope.org/Zope/685
==============================================================
= Comment - Entry #5 by chrisw on Dec 17, 2002 2:37 pm
Just to note that Shane has some concerns about the solution. I've left the current solution as is, pending a better solution being put forward.
________________________________________
= Resolve - Entry #4 by chrisw on Dec 17, 2002 1:11 pm
Status: Pending => Resolved
This is now fixed on 2.6 branch and HEAD.
________________________________________
= Comment - Entry #3 by chrisw on Nov 25, 2002 11:29 am
Clemens Robbenhaar wrote:
>
> I did just now run into a similar problem, and may offer the following
> explanation after some debugging:
>
> It seems the 'allow_module', etc, gets not executed by Zope in advance,
> except if this is the __init__.py of a 'Product', or this module is
> imported by some core module or product. This is quite standard python
> behaviour; the module is not initialized before import, and Zope does
> some extra work to initialize all products on startup.
>
> If one tries to import the code from a python script, the security
> machinery first check, if the module has some security info, and imports
> it afterwards, if the info is found. But as the module is not imported
> anyway, it is not initialized, and has not such info and thus will not
> be allowed for import.
This strikes me as a bug.
Zope should try and import the module before checking it's security declarations, otherwise the module has no opportunity to perform its security declarations.
Where should this importing be done?
________________________________________
= Edit - Entry #2 by chrisw on Nov 21, 2002 7:20 am
Changes: submitter email, revised title
________________________________________
= Request - Entry #1 by chrisw on Nov 21, 2002 7:20 am
I'm trying to get stripogram working from Script(Pythons).
Now, all I should need to do is add the following to the stripogram/__init__.py:
ModuleSecurityInfo('stripogram').declarePublic('html2text', 'html2safehtml')
This doesn't work!
In order to get the following test to pass:
from Products.PythonScripts.PythonScript import PythonScript
theScript = PythonScript('test')
theScript.ZBindings_edit({})
theScript.write("from stripogram import html2text\nreturn
html2text('<i>hello</i>')")
theScript._makeFunction()
self.assertEqual(theScript(),'hello')
I also have to add:
ModuleSecurityInfo('stripogram').declareObjectPublic()
Why?
Now, the following Script (Python) created through the ZMI:
from stripogram import html2text
...will always result in:
Error Type: ImportError
Error Value: import of "stripogram" is unauthorized
File \lib\python\Products\PythonScripts\PythonScript.py, line 302, in _exec
(Object: tester)
(Info: ({'script': <PythonScript instance at 012CB4D8>, 'context':
<Application instance at 012B92D8>, 'container': <Application instance at
012B92D8>, 'traverse_subpath': []}, (), {}, None))
File Script (Python), line 1, in tester
File \lib\python\AccessControl\ZopeGuards.py, line 153, in guarded_import
ImportError: (see above)
Even if I add the following to stripogram/__init__.py:
allow_module('stripogram')
Why doesn't this code behave as advertised in
Products/PythonScripts/module_access_examples.py?
==============================================================