Leaking HTTP requests (was: RE: [Zope] LeakingAcquisition.ImplicitAcquirerWrapper)

Chris McDonough chrism at plope.com
Thu May 13 17:50:23 EDT 2004


Tres and me were playing around with this a little and the easiest way
to provoke a REQUEST leak is to do an anonymous request to a resource
inside a subfolder where the subfolder has all permission acquisition
turned off (and only "authenticated" granted view access).  It will turn
around and try to run "standard_error_message", which will fail due to
security (and leak in the process).  The code responsible for this is
SimpleItem.raise_standardErrorMessage, which does some funky passing
around/munging of traceback objects.  However,
"raise_standardErrorMessage" never gets called if
"standard_error_message" doesn't exist in the acquisition path.  If it
never gets called, the leak does not occur.

The simplest way to rid yourself of the leak temporarily is to remove
"standard_error_message".

On Thu, 2004-05-13 at 17:41, Brian Lloyd wrote:
> Zope.org doesn't use Localizer (or Archetypes - another thing 
> that has come up in this thread).
> 
> In our experience, this sort of thing has almost always turned
> out to be a wrapped object ending up in the REQUEST or a wrapped 
> object holding onto a request for some reason.
> 
> I've attached a quick product you can drop in to test that 
> theory on your own instance (just make a directory 
> Products/LeakBGone and drop this __init__.py into it and 
> restart).
> 
> If it fixes the leak, we can extend it to do some logging and 
> try to figure out the root cause. I'll try it out on zope.org 
> as soon as I'm able. 
> 
> 
> Brian Lloyd        brian at zope.com
> V.P. Engineering   540.361.1716              
> Zope Corporation   http://www.zope.com
> 
> 
> > -----Original Message-----
> > From: zope-bounces+brian=zope.com at zope.org
> > [mailto:zope-bounces+brian=zope.com at zope.org]On Behalf Of Stefan H.
> > Holek
> > Sent: Thursday, May 13, 2004 3:14 PM
> > To: Brian Lloyd
> > Cc: Jean-Francois.Doyon at CCRS.NRCan.gc.ca; zope at zope.org
> > Subject: Re: Leaking HTTP requests (was: RE: [Zope]
> > LeakingAcquisition.ImplicitAcquirerWrapper)
> > 
> > 
> > Does zope.org use Localizer or some type of "global request" patch?
> > 
> > Stefan
> > 
> > 
> > On Donnerstag, Mai 13, 2004, at 21:42 Europe/Vienna, Brian Lloyd wrote:
> > 
> > > FWIW - zope.org is suffering hugely from this as well, so
> > > I'm following this thread eagerly ;)
> > --
> > The time has come to start talking about whether the emperor is as well
> > dressed as we are supposed to think he is.               /Pete McBreen/
> > 
> > 
> > _______________________________________________
> > Zope maillist  -  Zope at zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists - 
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
> > 
> 
> ______________________________________________________________________
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )




More information about the Zope mailing list