• Julien Muchembled's avatar
    Fix memory leak and DoS in ERP5Site.log() and Base.log() · 34cb27f2
    Julien Muchembled authored
    ERP5Site.log and Base.log are wrappers to the 'log' function from
    Product.ERP5Type.Log, but parameters were forwarded in a wrong way
    when called with a single argument:
    
      self.log(message) # Base method
    
    This was equivalent to:
    
      log(message, '')  # function from Product.ERP5Type.Log
    
    And the whole message was later part of subsystem in:
    
      logger = logging.getLogger(subsystem)
    
    But because loggers are never freed, it is important that 'subsystem' does not
    vary too often, to avoid a memory leak.
    
    The fix is to simply forwarding parameters with catchall arguments, instead of
    duplicating the signature from Product.ERP5Type.Log.
    
    Of course, it remains important to call these methods correctly, otherwise
    memory leaks can happen again. For this reason, catchall arguments also
    prevents ERP5Site.log and Base.log to be called by ZPublisher.
    Reported-by: Kirill Smelkov's avatarKirill Smelkov <kirr@nexedi.com>
    Reviewed-by: Kirill Smelkov's avatarKirill Smelkov <kirr@nexedi.com>
    34cb27f2
ERP5Site.py 84.3 KB