[Zope-Coders] Re: [ZC] 510/ 2 Comment "Python Script's traversal subpath bug"
Dieter Maurer
dieter@handshake.de
Fri, 9 Aug 2002 19:52:08 +0200
Collector: Zope Bugs, Features, and Patches ... writes:
> How is it that aq_explicit is insecure and aq_base secure? I think its the other way around. Unless of course you just mean that aq_explicit is available in "untrusted" code.
"aq_explicit" is insecure in the sense that "hasattr(o.aq_explicit,key)"
can return 1 even when "o" does not have an attribute "key".
Contrary to wide spread assumptions, "aq_explicit" does not prevent
acquisition (more precisely, it does it only partially).
That's why, you should always use "aq_base" when you want to check
whether or not an object has a given attribute and why
Zope should provide a standard function "hasUnaquiredAttribute(obj,key)"
defined as "hasattr(aq_base(obj),key)".
>
> That said, I have always found aq_explicit to be unreliable at best and pathological at worst so I avoid using it.
> Also can you give a specific example that illustrates the incorrect behavior?
Consider the following structure:
PythonScript
Something
Folder/
Access URL: ".../Folder/PythonScript/Something"
It will not call "PythonScript" (with "traversal_subpath == ['Something']")
but "Something".
Dieter