On 07/02/2010 11:49 AM, Tres Seaver wrote: > Jim has asserted (but not really explained) that the C extension closes > some kind of security hole. I don't see any credible attack vector > myself, but then I no longer believe it worthwhile to devote my own > energy to defending against malicious TTW programmers.
FWIW, I imagine the problem is that zope.security treats zope.i18nmessageid as a rock, so if the implementation is in Python, it probably allows untrusted code to do this: >>> msg.__setattr__.im_func.func_globals['__builtins__']['__import__'] <built-in function __import__> I suggest the bug is in zope.security, which should never allow a type written in Python to be a rock. Shane _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
