On 07/02/2010 11:49 AM, Tres Seaver wrote:
> Jim has asserted (but not really explained) that the C extension closes
> some kind of security hole.  I don't see any credible attack vector
> myself, but then I no longer believe it worthwhile to devote my own
> energy to defending against malicious TTW programmers.

FWIW, I imagine the problem is that zope.security treats 
zope.i18nmessageid as a rock, so if the implementation is in Python, it 
probably allows untrusted code to do this:

 >>> msg.__setattr__.im_func.func_globals['__builtins__']['__import__']
<built-in function __import__>

I suggest the bug is in zope.security, which should never allow a type 
written in Python to be a rock.

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to