[ZCM] [ZC] 1534/ 6 Comment "Serious bug in (un)restrictedTraverse"

Collector: Zope Bugs, Features, and Patches ... zope-coders-admin at zope.org
Fri Nov 26 07:48:17 EST 2004 

Issue #1534 Update (Comment) "Serious bug in (un)restrictedTraverse"
 Status Pending, Zope/bug medium
To followup, visit:
  http://zope.org/Collectors/Zope/1534

==============================================================
= Comment - Entry #6 by camil7 on Nov 26, 2004 7:48 am

About the:

+ except (AttributeError,KeyError): 

please at least add "ValueError", "IndexError" 

(they may happen in cases when sequences stored 
as attributes of persistent objects are traversed)
________________________________________
= Edit - Entry #5 by chrisw on Nov 26, 2004 7:36 am

 Changes: revised title, new comment

On inspection of the code, it appears this is actually a bug in unrestrictedTraverse, and a nasty one at that. From Zope 2.7.3's Traversable.py:

Line 137 raises unauthorized if restricted and the user can't access the zodb root.

Line 141 - Line 197 then raises lots of Unauthorized's, which then get caught by the blanket except on line 198.

I put forward two patches:

--- Traversable.py      Sun Oct 24 11:39:28 2004
+++ Traversable.py.new  Fri Nov 26 12:31:51 2004
@@ -194,7 +194,7 @@

             return object

-        except ConflictError: raise
+        except (ConflictError,Unauthorized): raise
         except:
             if default==_marker: raise
             return default

...or maybe...

--- Traversable.py      Sun Oct 24 11:39:28 2004
+++ Traversable.py.new  Fri Nov 26 12:32:47 2004
@@ -194,8 +194,8 @@

             return object

-        except ConflictError: raise
-        except:
+        except (AttributeError,KeyError):
+            # should any other exceptions be caught?
             if default==_marker: raise
             return default

...which I'd prefer, unless anyone can see any problems?
________________________________________
= Edit - Entry #4 by efge on Nov 12, 2004 12:06 pm

 Changes: submitter email, edited transcript, new comment

Fixed typo in entry #3
________________________________________
= Assign - Entry #3 by efge on Nov 12, 2004 12:03 pm

 Status: Accepted => Pending

 Supporters removed: Caseman


IMO moving from unrestrictedTraverse to restrictedTraverse was a mistake, as all unrestricted code that expected that to work now fails silently. There may be security concerns, but all objects that have to be protected have adequate protections on themeselves anyway (I hope).

Of course the API was underspecified in the first place, and there should be a _getObject for restricted code to call...

________________________________________
= Comment - Entry #2 by ajung on Oct 13, 2004 4:42 am

AFAIK Casey is no longer working for ZC and I don't know if he is still working on Zope. Maybe this issue must be resolved by someone else.
________________________________________
= Request - Entry #1 by chrisw on Oct 13, 2004 4:33 am

 Status: Pending => Accepted

 Supporters added: Caseman

ZCatalog brains' getObject method is now very simply implemented, but in a way that can lead to end user confusion.

The intent is to return None for a brain that no longer maps to an object, but the impementation is such that it also returns None when the user doing the getObject isn't allowed to access the object being mapped to.

This in itself is confusing, an Unauthorized should be raised instead of None being returned.

However, more seriously, it means that unrestricted code that calls getObject no longer works since there may not be an active security manager.

FWIW, the (ugly) workaround I'm currently using is:

container.unrestrictedTraverse(brain.getPath(),None)

...in place of any brain.getObject()'s
==============================================================

More information about the Zope-Collector-Monitor mailing list