Le mercredi 26 janvier 2011 08:54:02, Vincent Pelletier a écrit :
For some reason, I didn't see your mail on zope-dev
As this mail reached the list, I think Tres' mail got caught by some filter.
Original mail was:
In publish.py[1], unwrapMethod tried to find what can be used to publish an
object. In a site, I had someone create a very-badly-named func_code
external method in a place accessible by acquisition from every page on the
site (this bad by itself, and I corrected it already). This caused
unwrapMethod to think it can use any object directly for publishing, because
of:
elif getattr(unwrapped, 'func_code', None) is not None:
break
and unwrapped is still in an acquisition context.
Shouldn't the checks be done on unwrapped (from acquisition context) objects
instead, to prevent such stupid mistake to have such a wide impact.
I have the intuition that this could even be a security problem, allowing an
unexpected object to be called instead of another, but I cannot come out with
an example.
Do you think there is anything to fix in zope.publisher[2] ? If so, I'll open
a bug.
[1]
http://svn.zope.org/zope.publisher/trunk/src/zope/publisher/publish.py?view=markup
[2] following Tres' answer, make this Zope2's mapply
Regards,
--
Vincent Pelletier
___
Zope-Dev maillist - Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )
