Re: [Zope] Security on email.Message.Message
--On Dienstag, 12. April 2005 16:18 Uhr +0100 Tim Hicks [EMAIL PROTECTED] wrote: Hi, I'm trying to import and use the email.Message.Message class in a zope 'Script (Python)'. I have the following security assertions in my product code:: from AccessControl import allow_module, allow_class from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('email.Message').declarePublic('Message') from email.Message import Message allow_class(Message) As a result, I can successfully import like:: from email.Message import Message I can even create an instance and call most methods on it:: m = Message() m.set_payload('read that') However, when I try to use the mapping interface, I get an error. For example, the following:: m['from'] = '[EMAIL PROTECTED]' produces a traceback like:: Traceback (innermost last): Module ZPublisher.Publish, line 101, in publish Module ZPublisher.mapply, line 88, in mapply Module ZPublisher.Publish, line 39, in call_object Module Shared.DC.Scripts.Bindings, line 306, in __call__ Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec Module Products.PythonScripts.PythonScript, line 323, in _exec Module None, line 6, in AAA - PythonScript at /test/AAA - Line 6 Module RestrictedPython.Guards, line 96, in handler TypeError: object does not support item or slice assignment Does anyone have any idea what the problem is? Move your code into an external method which is less painful than dealing with module security issues. As an alternative: look at TrustedExecutables. -aj pgpIV267dYumO.pgp Description: PGP signature ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security on email.Message.Message
Andreas Jung said: Module RestrictedPython.Guards, line 96, in handler TypeError: object does not support item or slice assignment Does anyone have any idea what the problem is? Move your code into an external method which is less painful than dealing with module security issues. As an alternative: look at TrustedExecutables. Thanks Andreas. I suppose I could move the code to a product (which I would prefer over an external method), but it seems a little heavy-weight for my requirements. In fact, generally, I think I would like to be able to use email.Message.Message instances in TTW code, so if anyone does know what's going wrong here, I'd be most pleased to hear. Tim ps Is it me or is the traceback I'm seeing not particularly helpful? I mean, I know that these objects *do* support the dictionary interface! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security on email.Message.Message
Andreas Jung said: Module RestrictedPython.Guards, line 96, in handler TypeError: object does not support item or slice assignment Does anyone have any idea what the problem is? Digging further... I made the TypeError a little more revealing on line 96 of RestrictedPython/Guards.py so it now shows the 'secattr' (method) being accessed, and its args:: def handler(self, *args): try: f = getattr(self.ob, secattr) except AttributeError: raise TypeError, '%s | %s | %s' % (error_msg, secattr, str(args)) The value of 'secattr' is apparently '__guarded_setitem__' in my case. So, it seems that the email.Message.Message class does not have a __guarded_setitem__ on it. This is unsurprising. I assume that it is supposed to get added during zope initialisation somewhere, right? Can anybody point out where? Tim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Security on email.Message.Message
Tim Hicks said: Andreas Jung said: Module RestrictedPython.Guards, line 96, in handler TypeError: object does not support item or slice assignment Does anyone have any idea what the problem is? Digging further... I made the TypeError a little more revealing on line 96 of RestrictedPython/Guards.py so it now shows the 'secattr' (method) being accessed, and its args:: def handler(self, *args): try: f = getattr(self.ob, secattr) except AttributeError: raise TypeError, '%s | %s | %s' % (error_msg, secattr, str(args)) The value of 'secattr' is apparently '__guarded_setitem__' in my case. So, it seems that the email.Message.Message class does not have a __guarded_setitem__ on it. This is unsurprising. I assume that it is supposed to get added during zope initialisation somewhere, right? Can anybody point out where? Well, I've fixed this with an awful hack. My security assertions now look like:: from AccessControl import allow_module, allow_class from AccessControl import ModuleSecurityInfo def _secure_mapping(klass): XXX Awful hack!! klass.__guarded_getitem__ = klass.__getitem__ klass.__guarded_setitem__ = klass.__setitem__ klass.__guarded_delitem__ = klass.__delitem__ ModuleSecurityInfo('email.Message').declarePublic('Message') from email.Message import Message _secure_mapping(Message) allow_class(Message) That gets me to where I want (for now). I'd still love the 'correct' answer though. Tim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )