[Zope-dev] strange priv leak

Shane Hathaway shane@zope.com
Mon, 19 May 2003 12:34:44 -0400


Jamie Heilman wrote:
> Lately I've been noticing that http://host/zopeobject/manage_options
> is accessible TTW with no priveleges.  Unless I'm on crack, wasn't
> always like this.  I've been trying to figure out what changed and the
> only thing I can discern is is that may be related to using python
> 2.2.  I've seen it happen with 2.6.1 & python 2.2, and I've seen it
> happen with HEAD & python 2.2, but never 2.6.1 & python 2.1.3.  Can
> anyone else corroborate this?  Even better does anyone else know how
> to fix it?  I'm wondering if there's more hanging out in the open than
> just some attributes here and there.

You've uncovered an important difference between Python 2.1 and Python 
2.2.  Built-in objects now have docstrings.  That means Zope running on 
Python 2.2 currently reveals a lot more TTW than Python 2.1 did.  It's a 
good thing we haven't make Python 2.2 support official yet.


(Python 2.1.3)
 >>> ().__doc__
Traceback (most recent call last):
   File "<stdin>", line 1, in ?
AttributeError: 'tuple' object has no attribute '__doc__'

(Python 2.2.2)
 >>> ().__doc__
"tuple() -> an empty tuple\ntuple(sequence) -> tuple initialized from 
sequence's items\n\nIf the argument is a tuple, the return value is the 
same object."


The same thing changed for integers and strings (and probably all other 
built-in types).  The __doc__ check has always been hackish anyway.  Ideas?

Shane