Hi.

In publish.py[1], unwrapMethod tried to find what can be used to publish an 
object. In a site, I had someone create a very-badly-named "func_code" 
external method in a place accessible by acquisition from every page on the 
site (this bad by itself, and I corrected it already). This caused 
unwrapMethod to think it can use any object directly for publishing, because 
of:

        elif getattr(unwrapped, 'func_code', None) is not None:
            break

and "unwrapped" is still in an acquisition context.

Shouldn't the checks be done on unwrapped (from acquisition context) objects 
instead, to prevent such stupid mistake to have such a wide impact.

I have the intuition that this could even be a security problem, allowing an 
unexpected object to be called instead of another, but I cannot come out with 
an example.

Do you think there is anything to fix in zope.publisher ? If so, I'll open a 
bug.

[1] 
http://svn.zope.org/zope.publisher/trunk/src/zope/publisher/publish.py?view=markup

Regards,
-- 
Vincent Pelletier
_______________________________________________
For more information about ZODB, see the ZODB Wiki:
http://www.zope.org/Wikis/ZODB/

ZODB-Dev mailing list  -  ZODB-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zodb-dev

Reply via email to