[Zope-dev] Re: 2.7.0-b2 - Critical ZPT TAL bug when using content-type text/xml
Richard Waid wrote: Basically, if you're using a ZPT with a content-type text/xml, using a TAL path expression to access an attribute or method causes a security violation (Unauthorized). It does not happen if the ZPT is using content-type text/html. Ah, guarded_getattr is doing something wrong with Unicode attribute names, though I'm not sure exactly what. http://collector.zope.org/Zope/1034/ Thanks for the pointer -- I've updated the bug. Cheers, Evan @ 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: 2.7.0-b2 - Critical ZPT TAL bug when using content-type text/xml
Until cAccessControl.c is fixed, you can work around the problem with a simple patch to Products/PageTemplates/Expressions.py, in restrictedTraverse(): if isinstance(name, TupleType): object = object(*name) continue + + name = str(name) if not name or name[0] == '_': # Skip directly to item access Cheers, Evan @ 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: 2.7.0-b2 - Critical ZPT TAL bug when using content-type text/xml
Evan Simpson wrote: Until cAccessControl.c is fixed, you can work around the problem with a simple patch to Products/PageTemplates/Expressions.py, in restrictedTraverse(): if isinstance(name, TupleType): object = object(*name) continue + + name = str(name) if not name or name[0] == '_': # Skip directly to item access Thanks Evan (definitely a better idea that turning off guarded_getattr anyway :)). Any hunches why it doesn't happen in 2.6.x? (maybe the xml didn't get converted to unicode?) I'd imagine that it's probably quite a pervasive bug -- comparing two strings is obviously quite a common situation ... just turned up by this particular situation. Just a quick grep turns up 50 instances of PyString_Check in the 2.7.0-b2 source, and 4 instances of PyUnicode_Check. cDocumentTemplate.c and UnicodeSplitter.c (no suprises there) seem to do the right thing. Pretty much every other c file needs to be checked. In particular cPersistence.c, cPickleCache.c, Acquisition.c, ComputedAttribute.c, ExtensionClass.c and cAccessControl.c all use PyString_Check, and they'd obviously be bad places for things to go wrong :) Best regards, Richard Waid Network/Software Engineer http://iopen.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )