Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Andreas Jung

--On Dienstag, 12. April 2005 16:18 Uhr +0100 Tim Hicks 
[EMAIL PROTECTED] wrote:

Hi,
I'm trying to import and use the email.Message.Message class in a zope
'Script (Python)'.
I have the following security assertions in my product code::
  from AccessControl import allow_module, allow_class
  from AccessControl import ModuleSecurityInfo
  ModuleSecurityInfo('email.Message').declarePublic('Message')
  from email.Message import Message
  allow_class(Message)
As a result, I can successfully import like::
  from email.Message import Message
I can even create an instance and call most methods on it::
  m = Message()
  m.set_payload('read that')
However, when I try to use the mapping interface, I get an error.  For
example, the following::
  m['from'] = '[EMAIL PROTECTED]'
produces a traceback like::
  Traceback (innermost last):
Module ZPublisher.Publish, line 101, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 39, in call_object
Module Shared.DC.Scripts.Bindings, line 306, in __call__
Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec
Module Products.PythonScripts.PythonScript, line 323, in _exec
Module None, line 6, in AAA
 - PythonScript at /test/AAA
 - Line 6
Module RestrictedPython.Guards, line 96, in handler
  TypeError: object does not support item or slice assignment
Does anyone have any idea what the problem is?
Move your code into an external method which is less painful than dealing
with module security issues. As an alternative: look at TrustedExecutables.
-aj

pgpIV267dYumO.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks
Andreas Jung said:

 Module RestrictedPython.Guards, line 96, in handler
   TypeError: object does not support item or slice assignment

 Does anyone have any idea what the problem is?

 Move your code into an external method which is less painful than dealing
 with module security issues. As an alternative: look at
 TrustedExecutables.

Thanks Andreas.

I suppose I could move the code to a product (which I would prefer over an
external method), but it seems a little heavy-weight for my requirements.

In fact, generally, I think I would like to be able to use
email.Message.Message instances in TTW code, so if anyone does know what's
going wrong here, I'd be most pleased to hear.

Tim

ps Is it me or is the traceback I'm seeing not particularly helpful?  I
mean, I know that these objects *do* support the dictionary interface!
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks
Andreas Jung said:

 Module RestrictedPython.Guards, line 96, in handler
   TypeError: object does not support item or slice assignment

 Does anyone have any idea what the problem is?

Digging further...

I made the TypeError a little more revealing on line 96 of
RestrictedPython/Guards.py so it now shows the 'secattr' (method) being
accessed, and its args::

def handler(self, *args):
try:
f = getattr(self.ob, secattr)
except AttributeError:
raise TypeError, '%s | %s | %s' % (error_msg, secattr,
str(args))

The value of 'secattr' is apparently '__guarded_setitem__' in my case. 
So, it seems that the email.Message.Message class does not have a
__guarded_setitem__ on it.  This is unsurprising.  I assume that it is
supposed to get added during zope initialisation somewhere, right?  Can
anybody point out where?

Tim
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Security on email.Message.Message

2005-04-12 Thread Tim Hicks
Tim Hicks said:
 Andreas Jung said:

 Module RestrictedPython.Guards, line 96, in handler
   TypeError: object does not support item or slice assignment

 Does anyone have any idea what the problem is?

 Digging further...

 I made the TypeError a little more revealing on line 96 of
 RestrictedPython/Guards.py so it now shows the 'secattr' (method) being
 accessed, and its args::

 def handler(self, *args):
 try:
 f = getattr(self.ob, secattr)
 except AttributeError:
 raise TypeError, '%s | %s | %s' % (error_msg, secattr,
 str(args))

 The value of 'secattr' is apparently '__guarded_setitem__' in my case.
 So, it seems that the email.Message.Message class does not have a
 __guarded_setitem__ on it.  This is unsurprising.  I assume that it is
 supposed to get added during zope initialisation somewhere, right?  Can
 anybody point out where?

Well, I've fixed this with an awful hack.  My security assertions now look
like::

  from AccessControl import allow_module, allow_class
  from AccessControl import ModuleSecurityInfo

  def _secure_mapping(klass):
  XXX Awful hack!!
  
  klass.__guarded_getitem__ = klass.__getitem__
  klass.__guarded_setitem__ = klass.__setitem__
  klass.__guarded_delitem__ = klass.__delitem__

  ModuleSecurityInfo('email.Message').declarePublic('Message')
  from email.Message import Message
  _secure_mapping(Message)
  allow_class(Message)

That gets me to where I want (for now).  I'd still love the 'correct'
answer though.


Tim

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )