-----BEGIN PGP SIGNED MESSAGE-----
On 01/25/2011 12:19 PM, Vincent Pelletier wrote:
> In publish.py, unwrapMethod tried to find what can be used to publish an
> object. In a site, I had someone create a very-badly-named "func_code"
> external method in a place accessible by acquisition from every page on the
> site (this bad by itself, and I corrected it already). This caused
> unwrapMethod to think it can use any object directly for publishing, because
> elif getattr(unwrapped, 'func_code', None) is not None:
> and "unwrapped" is still in an acquisition context.
> Shouldn't the checks be done on unwrapped (from acquisition context) objects
> instead, to prevent such stupid mistake to have such a wide impact.
> I have the intuition that this could even be a security problem, allowing an
> unexpected object to be called instead of another, but I cannot come out with
> an example.
> Do you think there is anything to fix in zope.publisher ? If so, I'll open a
The 'zope.publisher' package doesn't know anything about
acquisition-wrapped objects: fixing this issue there would require
adding either a dependency on 'Acquisition' (a bad idea, I think) or
else adding logic like the 'im_func' bit which peeled away 'aq_self'
until all wrappers were gone (using knowleged of Acquisition's API /
semantics without importing it).
The Zope2-specific version of 'mapply()' (in 'ZPublisher.mapply') is the
right place to fix this issue, if it is to be fixed: it could ensure
that the acquisition wrapper was stripped away before calling
P.S. This issue is off-topic for the ZODB list: I have cross-posted
to 'zope-dev': please follow up there.
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
For more information about ZODB, see the ZODB Wiki:
ZODB-Dev mailing list - ZODB-Dev@zope.org