[Product-Developers] Plone(?) Zope(?) Python(?) HTTP(?) security question

Ken Winter ken at sunward.org
Sun Jun 14 16:56:19 UTC 2009

I'm not sure whether this question is about Plone, or Zope, or Python, or
maybe even HTTP.  I thought I would start here.  If this isn't the place to
ask this question, please point me down the technology stack to the right

I have written a Plone tool.  The tool has a public method called
submitRequest().  submitRequest() submits an HTTP request by calling the
httplib2 Http.request() method.  That method returns the HTTP response to
submitRequest() as a Python dict.  My tool's submitRequest() method simply
returns that dict.  

I have written a Python script, rdb_callback.py, that calls submitRequest(). 
The call works fine.  It returns the response dict.  The script can print
the response dict's contents to event.log just fine - the printout looks
like this:

2009-06-14T10:57:33 INFO rdb_callback.py: response = {'status': '200',
'content-length': '10', 'x-amz-id-2':
'x-cnection': 'close', 'server': 'AmazonS3', 'last-modified': 'Sun, 14 Jun
2009 15:57:33 GMT', 'x-amz-request-id': 'E28DD76138E8F97A', 'etag':
'"bab71c0770e5cafdfa00dfb26b4d94bb"', 'date': 'Sun, 14 Jun 2009 15:57:33
GMT', 'content-type': 'text/plain'}

But when the script tries to access any entry in the response dict - for
example doing an assignment like size = response["content-length"] - it
evokes a fatal "Insufficient Privileges" error.  (See end of this post for
the full traceback.)

So it seems like the response dict is carrying some kind of security lock
that has nothing to do with the security on the Plone tool, class, or method
that returned it.  (By the way, other methods in this same tool return dict
data structures to scripts with no such difficulties.)  

And indeed, after considerable hacking around, I found that the security
error goes away if I tweak submitRequest() to return a copy of the response
dict - in other words, if the last line of submitRequest() is return
response.copy() instead of just return response.

So I have a viable workaround.  But if anyone can explain the source of this
odd error, it seems worth understanding.

~ Ken

Here's the traceback:

2009-06-14T10:57:33 ERROR Zope.SiteErrorLog
Traceback (innermost last):
  Module ZPublisher.Publish, line 115, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 41, in call_object
  Module Products.CMFCore.FSPythonScript, line 108, in __call__
  Module Shared.DC.Scripts.Bindings, line 311, in __call__
  Module Shared.DC.Scripts.Bindings, line 348, in _bindAndExec
  Module Products.CMFCore.FSPythonScript, line 164, in _exec
  Module None, line 42, in rdb_callback
   - <FSPythonScript at /groups/rdb_callback used for
   - Line 42
  Module AccessControl.ZopeGuards, line 71, in guarded_getitem
  Module AccessControl.ImplPython, line 565, in validate
  Module AccessControl.ImplPython, line 335, in validate
  Module AccessControl.ImplPython, line 810, in raiseVerbose
Unauthorized: The container has no security assertions.  Access to None of
{'status': '200', 'content-length': '10', 'x-amz-id-2':
'x-cnection': 'close', 'server': 'AmazonS3', 'last-modified': 'Sun, 14 Jun
2009 15:57:33 GMT', 'x-amz-request-id': 'E28DD76138E8F97A', 'etag':
'"bab71c0770e5cafdfa00dfb26b4d94bb"', 'date': 'Sun, 14 Jun 2009 15:57:33
GMT', 'content-type': 'text/plain'} denied.

View this message in context: http://n2.nabble.com/Plone%28-%29-Zope%28-%29-Python%28-%29-HTTP%28-%29-security-question-tp3076223p3076223.html
Sent from the Product Developers mailing list archive at Nabble.com.

More information about the Product-Developers mailing list