[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Jim Fulton jim at zope.com
Fri Jan 16 06:07:04 EST 2004


Dieter Maurer wrote:
> Jim Fulton wrote at 2004-1-15 17:23 -0500:
> 
>>...
>>None should never be passed for attribute accesses. If it is,
>>then there is a bug.  The case of dictionary mapping names to
>>whatever is for attribute access.  We are talking about item/key
>>access. I haven't seen a use case for needing to specify separate access
>>for separate key values.
> 
> 
> The original problem report (at least the one I read in
> this mailing list) was that a function
> registered with "setDefaultAccess" was called with
> "None" as "name" argument.
> 
> I expect that such a function is not called for dictionary or list access
> but only for access to (class) instances.
> When it is called, the name is relevant, as usually the name
> will be used to distinquish which attributes should be accessible
> and which not. 

Well, the proginal message in this thread refers to an item access.

***************
*** 312,318 ****
               # Skip directly to item access
               o = object[name]
               # Check access to the item.
!             if not validate(object, object, name, o):
                   raise Unauthorized, name
               object = o
               continue

The code above this:

         if not name or name[0] == '_':

Checks for empty names or names beginning with underscrores, neither of
which are legal attribite names.

So, this does seem to be about item access.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org




More information about the Zope-Dev mailing list