[Zope] Object's lines properties break code in Zope264rc2

Ausum Studio ausum_studio at hotmail.com
Tue Feb 10 13:34:37 EST 2004


---- Original Message ----- 
From: "Brian Lloyd" <brian at zope.com>

> > An object with lines properties in Zope264rc2 returns a tuple, while in
> > Zope261 it returns a list.
> > I haven't found information about this, neither in the 264rc2's
> > changes log
> > nor within this list. Is it a bug or a new feature?
>
> It is a bug fix / security fix. Storing properties in lists
> is bad because lists are mutable and cannot be protected
> directly using security assertions. ...

I used to use that as a feature, though I agree that it can also be a
potential security breach. Maybe it's worth the pain to put that as a
configurable feature in z2.py, and the new standard as default.

Otherwise I'm afraid I'll have a rewriting weekend. Does this break code to
anyone else?


Ausum


> ... Theoretically, an evil-
> intentioned scripter could change a property if it is stored
> as a list (though they'd have to find some way to force the
> persistent state of the parent object to be saved for the
> change to be saved).
>
>
> Brian Lloyd        brian at zope.com
> V.P. Engineering   540.361.1716
> Zope Corporation   http://www.zope.com
>
>
>



More information about the Zope mailing list