Launchpad itself

zope3 lacks security declaration for StringIO.StringIO

Bug #5133 reported by Guilherme Salgado
2
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Colin Watson
Zope 3
Invalid
Undecided
Unassigned

Bug Description

We need this declaration, otherwise we can't make any use of security-proxied objects of this type

For now, this declaration will be in launchpad/webapp/bug-5133.zcml. Please remove it when this bug is fixed.

See original description

Related branches

~cjwatson/launchpad:py3-io-security
Thiago F. Pappacena (community): Approve
Diff: 31 lines (+0/-15)
2 files modified
dev/null (+0/-14)
lib/lp/services/webapp/configure.zcml (+0/-1)
Guilherme Salgado (salgado)
Changed in launchpad:
assignee: nobody → stub
Revision history for this message
Stuart Bishop (stub) wrote : Re: [Bug 5133] zope3 should have security declarations for cStringIO.OutputType and cStringIO.InputType

Guilherme Salgado wrote:
> Public bug report changed:
> https://launchpad.net/malone/bugs/5133
>
> Changed in: Launchpad (upstream)
> Assignee: (unassigned) => Stuart Bishop

Hmm... Zope3 doesn't use cStringIO because it isn't Unicode aware. Are you
using it in a safe way?

--
Stuart Bishop <email address hidden> http://www.canonical.com/
Canonical Ltd. http://www.ubuntu.com/

Revision history for this message
Guilherme Salgado (salgado) wrote : Re: [Bug 5133] zope3 should have security declarations for cStringIO.OutputType and cStringIO.InputType

> Hmm... Zope3 doesn't use cStringIO because it isn't Unicode aware. Are you
> using it in a safe way?
>

Oooops, forgot this detail. I'm not using it in a safe way. I guess I'll
have to use StringIO.StringIO in this case, then.

Guilherme Salgado (salgado)
description: updated
Revision history for this message
Dafydd Harries (daf) wrote : Re: zope3 should have security declaration for StringIO.StringIO

In that case, should this bug be rejected, or is there still something to be fixed?

Revision history for this message
Guilherme Salgado (salgado) wrote :

No, it shouldn't be rejected. After Stuart's comment I realized I should, in fact, be using StringIO.StringIO, but zope3 doesn't have security declarations for that either, so I changed the bug report to say that we need security declarations for StringIO.StringIO.

Revision history for this message
Dafydd Harries (daf) wrote :

Thanks for the clarification.

Changed in launchpad:
status: New → Accepted
Dafydd Harries (daf)
Changed in launchpad:
assignee: stub → launchpad-infrastructure
Robert Collins (lifeless)
Changed in launchpad:
importance: Medium → Low
summary: - zope3 should have security declaration for StringIO.StringIO
+ zope3 lacks security declaration for StringIO.StringIO
Revision history for this message
Colin Watson (cjwatson) wrote :

The zope3 project on Launchpad has been archived at the request of the Zope developers (see https://answers.launchpad.net/launchpad/+question/683589 and https://answers.launchpad.net/launchpad/+question/685285). If this bug is still relevant, please refile it on an appropriate project under https://github.com/zopefoundation.

Changed in zope3:
status: New → Invalid
Colin Watson (cjwatson)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Colin Watson (cjwatson) wrote :

This security declaration turned out to no longer be needed in Launchpad and was an obstacle to porting to Python 3, so I've removed it.

Changed in launchpad:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.