On 07/02/2010 11:49 AM, Tres Seaver wrote:
> Jim has asserted (but not really explained) that the C extension closes
> some kind of security hole. I don't see any credible attack vector
> myself, but then I no longer believe it worthwhile to devote my own
> energy to defending against malicious TTW programmers.
FWIW, I imagine the problem is that zope.security treats
zope.i18nmessageid as a rock, so if the implementation is in Python, it
probably allows untrusted code to do this:
<built-in function __import__>
I suggest the bug is in zope.security, which should never allow a type
written in Python to be a rock.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -