[ http://issues.apache.org/jira/browse/MODPYTHON-43?page=all ]
Graham Dumpleton updated MODPYTHON-43:
--------------------------------------
Fix Version: 3.3
Description:
In the mod_python.publisher code, the code for performing basic authentication
has in a few spots code of the form:
if "__auth__" in func_code.co_names:
i = list(func_code.co_names).index("__auth__")
__auth__ = func_code.co_consts[i+1]
if hasattr(__auth__, "co_name"):
__auth__ = new.function(__auth__, globals())
found_auth = 1
What this does is that if the target of the request is a function and that
function
contains a nested function, which in this case is called "__auth__", then that
nested function is turned into a callable object and is subsequently called to
determine if the user is able to perform the request.
In making the nested function callable, it uses "globals()". By using this
though
it is using the globals from the mod_python.publisher module and not the
module which the nested function is contained within. This means that the
following code will actually fail.
import xxx
def function(req):
def __auth__(req,username,password):
return xxx.auth(req,username,password)
This is because the module "xxx" imported at global scope within the module
isn't
available to the nested function when it is called as it is seeing the globals
of
mod_python.publisher instead. To get around the problem, the import has to be
local to the nested function.
def function(req):
def __auth__(req,username,password):
import xxx
return xxx.auth(req,username,password)
Since in this case the auth function being called is a nested function, we know
that
we can actually grab the globals for the correct module by getting
"func_globals"
from the enclosing function.
if "__auth__" in func_code.co_names:
i = list(func_code.co_names).index("__auth__")
__auth__ = func_code.co_consts[i+1]
if hasattr(__auth__, "co_name"):
__auth__ = new.function(__auth__, object.func_globals)
found_auth = 1
Ie., instead of "globals()", use "object.func_globals" where "object is the
enclosing
function object.
was:
In the mod_python.publisher code, the code for performing basic authentication
has in a few spots code of the form:
if "__auth__" in func_code.co_names:
i = list(func_code.co_names).index("__auth__")
__auth__ = func_code.co_consts[i+1]
if hasattr(__auth__, "co_name"):
__auth__ = new.function(__auth__, globals())
found_auth = 1
What this does is that if the target of the request is a function and that
function
contains a nested function, which in this case is called "__auth__", then that
nested function is turned into a callable object and is subsequently called to
determine if the user is able to perform the request.
In making the nested function callable, it uses "globals()". By using this
though
it is using the globals from the mod_python.publisher module and not the
module which the nested function is contained within. This means that the
following code will actually fail.
import xxx
def function(req):
def __auth__(req,username,password):
return xxx.auth(req,username,password)
This is because the module "xxx" imported at global scope within the module
isn't
available to the nested function when it is called as it is seeing the globals
of
mod_python.publisher instead. To get around the problem, the import has to be
local to the nested function.
def function(req):
def __auth__(req,username,password):
import xxx
return xxx.auth(req,username,password)
Since in this case the auth function being called is a nested function, we know
that
we can actually grab the globals for the correct module by getting
"func_globals"
from the enclosing function.
if "__auth__" in func_code.co_names:
i = list(func_code.co_names).index("__auth__")
__auth__ = func_code.co_consts[i+1]
if hasattr(__auth__, "co_name"):
__auth__ = new.function(__auth__, object.func_globals)
found_auth = 1
Ie., instead of "globals()", use "object.func_globals" where "object is the
enclosing
function object.
Environment:
Assign To: Graham Dumpleton
> mod_python.publisher auth functions access to globals
> -----------------------------------------------------
>
> Key: MODPYTHON-43
> URL: http://issues.apache.org/jira/browse/MODPYTHON-43
> Project: mod_python
> Type: Improvement
> Components: publisher
> Versions: 3.1.4
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
> Priority: Minor
> Fix For: 3.3
> Attachments: grahamd_20060224_MP43_1.diff
>
> In the mod_python.publisher code, the code for performing basic authentication
> has in a few spots code of the form:
> if "__auth__" in func_code.co_names:
> i = list(func_code.co_names).index("__auth__")
> __auth__ = func_code.co_consts[i+1]
> if hasattr(__auth__, "co_name"):
> __auth__ = new.function(__auth__, globals())
> found_auth = 1
> What this does is that if the target of the request is a function and that
> function
> contains a nested function, which in this case is called "__auth__", then that
> nested function is turned into a callable object and is subsequently called to
> determine if the user is able to perform the request.
> In making the nested function callable, it uses "globals()". By using this
> though
> it is using the globals from the mod_python.publisher module and not the
> module which the nested function is contained within. This means that the
> following code will actually fail.
> import xxx
> def function(req):
> def __auth__(req,username,password):
> return xxx.auth(req,username,password)
> This is because the module "xxx" imported at global scope within the module
> isn't
> available to the nested function when it is called as it is seeing the
> globals of
> mod_python.publisher instead. To get around the problem, the import has to be
> local to the nested function.
> def function(req):
> def __auth__(req,username,password):
> import xxx
> return xxx.auth(req,username,password)
> Since in this case the auth function being called is a nested function, we
> know that
> we can actually grab the globals for the correct module by getting
> "func_globals"
> from the enclosing function.
> if "__auth__" in func_code.co_names:
> i = list(func_code.co_names).index("__auth__")
> __auth__ = func_code.co_consts[i+1]
> if hasattr(__auth__, "co_name"):
> __auth__ = new.function(__auth__, object.func_globals)
> found_auth = 1
> Ie., instead of "globals()", use "object.func_globals" where "object is the
> enclosing
> function object.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
