Re: [Zope-dev] zope.i18messageid
On Mon, Jul 5, 2010 at 12:57 PM, Shane Hathaway wrote: > On 07/02/2010 11:49 AM, Tres Seaver wrote: >> Jim has asserted (but not really explained) that the C extension closes >> some kind of security hole. I don't see any credible attack vector >> myself, but then I no longer believe it worthwhile to devote my own >> energy to defending against malicious TTW programmers. > > FWIW, I imagine the problem is that zope.security treats > zope.i18nmessageid as a rock, so if the implementation is in Python, it > probably allows untrusted code to do this: > > >>> msg.__setattr__.im_func.func_globals['__builtins__']['__import__'] > > > I suggest the bug is in zope.security, which should never allow a type > written in Python to be a rock. Although I wouldn't go so far as calling this a "bug", I like the idea of deciding whether to treat message ids as rocks depending on whether we're using the C implementation or not. Jim -- Jim Fulton ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope.i18messageid
On 07/02/2010 11:49 AM, Tres Seaver wrote: > Jim has asserted (but not really explained) that the C extension closes > some kind of security hole. I don't see any credible attack vector > myself, but then I no longer believe it worthwhile to devote my own > energy to defending against malicious TTW programmers. FWIW, I imagine the problem is that zope.security treats zope.i18nmessageid as a rock, so if the implementation is in Python, it probably allows untrusted code to do this: >>> msg.__setattr__.im_func.func_globals['__builtins__']['__import__'] I suggest the bug is in zope.security, which should never allow a type written in Python to be a rock. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope.i18messageid
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tres Seaver wrote:
> Chris McDonough wrote:
>> Fabio,
>
>> Within the last few months you committed the following change to
>> zope.i18nmessageid:
>
>> http://svn.zope.org/zope.i18nmessageid/trunk/setup.py?rev=102497&r1=101297&r2=102497
>
>> The commit message is "Fixed the compilation of the C extension with
>> python 2.6: refactored it as a setuptools Feature." Can I ask what
>> problem was being fixed with this commit?
>
>> It undid work I did in this revision:
>
>> http://svn.zope.org/zope.i18nmessageid/trunk/setup.py?rev=99669&r1=97948&r2=99669
>
>> I should have left a comment in there: the work was effectively there to
>> support building zope.i18nmessageid on Jython and other platforms like
>> GAE that do not support C extensions at all, even optionally. The
>> package no longer builds on Jython ("error: Setup script exited with
>> error: Compiling extensions is not supported on Jython"), although to be
>> honest I don't really understand why not. I'm hoping we can find a way
>> to retain whatever fix you were trying to make but still allow the
>> package to build on Jython, but I think I need to understand what
>> problem you were fixing first.
>
> I think there is a good case for making the C extension an "optional"
> setuptools feature: nobody acutally *needs* that extension built to
> have their application work.
>
> Jim has asserted (but not really explained) that the C extension closes
> some kind of security hole. I don't see any credible attack vector
> myself, but then I no longer believe it worthwhile to devote my own
> energy to defending against malicious TTW programmers.
>
> The change here is to remove 'standard=True' from the feature
> constructor. Developers who want the feature enabled can then build the
> egg via:
>
> $ python setup.py --with-codeoptimization bdist_egg
>
> We could then update the zc.recipe.egg:custom recipe to allow specifying
> features to be installed for a given egg.
I asked on the distutils SIG about the status of setuptools' Feature:
PJE basically said that they are deprecated / obsolete, which is why
they aren't documented.
I went ahead and packaged up the 'optional_build_ext' class which Chris
had previously inlined (into the setup.py of zope.i18nmessageid):
http://svn.zope.org/zope.optionalextension/
http://pypi.python.org/pypi/zope.optionalextension/1.1
The 1.1 release was to allow for using the package via 'setup_requires',
without having to install it manually first. Unfortunately, setuptools
stomps on the 'command_packages' lookup, which means it only (currently)
works under plain distutils, and then only if you have already installed it.
I plan to investigate further to fix that problem.
Tres.
- --
===
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkwvi5wACgkQ+gerLs4ltQ4bVQCdH2zuP2slSgnQ16GiWOnPT2xb
5IEAoLzW/Jq9BL2gL5VgSxt+HyRj6i9j
=8ayy
-END PGP SIGNATURE-
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope.i18messageid
On 2010-7-2 19:49, Tres Seaver wrote: > The change here is to remove 'standard=True' from the feature > constructor. Developers who want the feature enabled can then build the > egg via: > >$ python setup.py --with-codeoptimization bdist_egg > > We could then update the zc.recipe.egg:custom recipe to allow specifying > features to be installed for a given egg. That would be a very welcome change for SQLAlchemy as well: it has an optional C extension to speed of marshalling data from SQL responses. Wichert. -- Wichert AkkermanIt is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope.i18messageid
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chris McDonough wrote:
> Fabio,
>
> Within the last few months you committed the following change to
> zope.i18nmessageid:
>
> http://svn.zope.org/zope.i18nmessageid/trunk/setup.py?rev=102497&r1=101297&r2=102497
>
> The commit message is "Fixed the compilation of the C extension with
> python 2.6: refactored it as a setuptools Feature." Can I ask what
> problem was being fixed with this commit?
>
> It undid work I did in this revision:
>
> http://svn.zope.org/zope.i18nmessageid/trunk/setup.py?rev=99669&r1=97948&r2=99669
>
> I should have left a comment in there: the work was effectively there to
> support building zope.i18nmessageid on Jython and other platforms like
> GAE that do not support C extensions at all, even optionally. The
> package no longer builds on Jython ("error: Setup script exited with
> error: Compiling extensions is not supported on Jython"), although to be
> honest I don't really understand why not. I'm hoping we can find a way
> to retain whatever fix you were trying to make but still allow the
> package to build on Jython, but I think I need to understand what
> problem you were fixing first.
I think there is a good case for making the C extension an "optional"
setuptools feature: nobody acutally *needs* that extension built to
have their application work.
Jim has asserted (but not really explained) that the C extension closes
some kind of security hole. I don't see any credible attack vector
myself, but then I no longer believe it worthwhile to devote my own
energy to defending against malicious TTW programmers.
The change here is to remove 'standard=True' from the feature
constructor. Developers who want the feature enabled can then build the
egg via:
$ python setup.py --with-codeoptimization bdist_egg
We could then update the zc.recipe.egg:custom recipe to allow specifying
features to be installed for a given egg.
Tres.
- --
===
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkwuJrEACgkQ+gerLs4ltQ6RbQCg1CMt5QlZV1DF45i0Elulu4+j
7QUAoL6DsbZOVElG15kLZBh9EbqJipc0
=D9/Y
-END PGP SIGNATURE-
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] zope.i18messageid
Fabio,
Within the last few months you committed the following change to
zope.i18nmessageid:
http://svn.zope.org/zope.i18nmessageid/trunk/setup.py?rev=102497&r1=101297&r2=102497
The commit message is "Fixed the compilation of the C extension with
python 2.6: refactored it as a setuptools Feature." Can I ask what
problem was being fixed with this commit?
It undid work I did in this revision:
http://svn.zope.org/zope.i18nmessageid/trunk/setup.py?rev=99669&r1=97948&r2=99669
I should have left a comment in there: the work was effectively there to
support building zope.i18nmessageid on Jython and other platforms like
GAE that do not support C extensions at all, even optionally. The
package no longer builds on Jython ("error: Setup script exited with
error: Compiling extensions is not supported on Jython"), although to be
honest I don't really understand why not. I'm hoping we can find a way
to retain whatever fix you were trying to make but still allow the
package to build on Jython, but I think I need to understand what
problem you were fixing first.
- C
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
