[Zope-dev] zope.i18messageid

Jim Fulton jim at zope.com
Mon Jul 5 13:46:45 EDT 2010


On Mon, Jul 5, 2010 at 12:57 PM, Shane Hathaway <shane at hathawaymix.org> wrote:
> On 07/02/2010 11:49 AM, Tres Seaver wrote:
>> Jim has asserted (but not really explained) that the C extension closes
>> some kind of security hole.  I don't see any credible attack vector
>> myself, but then I no longer believe it worthwhile to devote my own
>> energy to defending against malicious TTW programmers.
>
> FWIW, I imagine the problem is that zope.security treats
> zope.i18nmessageid as a rock, so if the implementation is in Python, it
> probably allows untrusted code to do this:
>
>  >>> msg.__setattr__.im_func.func_globals['__builtins__']['__import__']
> <built-in function __import__>
>
> I suggest the bug is in zope.security, which should never allow a type
> written in Python to be a rock.

Although I wouldn't go so far as calling this a "bug", I like the idea
of deciding whether to treat message ids as rocks depending on whether
we're using the C implementation or not.

Jim

--
Jim Fulton


More information about the Zope-Dev mailing list