Fix memory leak and DoS in ERP5Site.log() and Base.log()
ERP5Site.log and Base.log are wrappers to the 'log' function from Product.ERP5Type.Log, but parameters were forwarded in a wrong way when called with a single argument: self.log(message) # Base method This was equivalent to: log(message, '') # function from Product.ERP5Type.Log And the whole message was later part of subsystem in: logger = logging.getLogger(subsystem) But because loggers are never freed, it is important that 'subsystem' does not vary too often, to avoid a memory leak. The fix is to simply forwarding parameters with catchall arguments, instead of duplicating the signature from Product.ERP5Type.Log. Of course, it remains important to call these methods correctly, otherwise memory leaks can happen again. For this reason, catchall arguments also prevents ERP5Site.log and Base.log to be called by ZPublisher. Reported-by: Kirill Smelkov <kirr@nexedi.com> Reviewed-by: Kirill Smelkov <kirr@nexedi.com>
Showing
Please register or sign in to comment