[Checkins] SVN: z3c.form/trunk/src/z3c/form/widget.py security issue:
Roger Ineichen
roger at projekt01.ch
Wed Oct 1 01:06:11 EDT 2008
Log message for revision 91645:
security issue:
Avoid set attributes for values which the object doesn't provide.
I hope it doesn't break existing projects, but that's a real
security problem. If so, just define the attribute in your widget
class and it will work again.
Changed:
U z3c.form/trunk/src/z3c/form/widget.py
-=-
Modified: z3c.form/trunk/src/z3c/form/widget.py
===================================================================
--- z3c.form/trunk/src/z3c/form/widget.py 2008-10-01 05:05:33 UTC (rev 91644)
+++ z3c.form/trunk/src/z3c/form/widget.py 2008-10-01 05:06:10 UTC (rev 91645)
@@ -119,11 +119,13 @@
self.value = converter.toWidgetValue(value)
# Step 2: Update selected attributes
for attrName in self._adapterValueAttributes:
- value = zope.component.queryMultiAdapter(
- (self.context, self.request, self.form, self.field, self),
- interfaces.IValue, name=attrName)
- if value is not None:
- setattr(self, attrName, value.get())
+ # only allow to set values for known attributes
+ if hasattr(self, attrName):
+ value = zope.component.queryMultiAdapter(
+ (self.context, self.request, self.form, self.field, self),
+ interfaces.IValue, name=attrName)
+ if value is not None:
+ setattr(self, attrName, value.get())
def render(self):
"""See z3c.form.interfaces.IWidget."""
More information about the Checkins
mailing list