[ZCM] [ZC] 510/ 2 Comment "Python Script's traversal subpath bug"
Collector: Zope Bugs, Features, and Patches ...
zope-coders@zope.org
Fri, 09 Aug 2002 09:33:42 -0400
Issue #510 Update (Comment) "Python Script's traversal subpath bug"
Status Pending, Zope/bug+solution medium
To followup, visit:
http://collector.zope.org/Zope/510
==============================================================
= Comment - Entry #2 by Caseman on Aug 9, 2002 9:33 am
How is it that aq_explicit is insecure and aq_base secure? I think its the other way around. Unless of course you just mean that aq_explicit is available in "untrusted" code.
That said, I have always found aq_explicit to be unreliable at best and pathological at worst so I avoid using it.
Also can you give a specific example that illustrates the incorrect behavior?
________________________________________
= Request - Entry #1 by d.maurer on Aug 9, 2002 7:38 am
When Python Scripts (more generally "Shared.DC.Scripts.Bindings.Bindings" instances)
have "traversal_subpath" bound, then they should
stop traversal when they are hit and bind the remaining traversal steps to the "traversal_subpath"
variable. Of course, this should not happen, when
the next traversal step is an attribute of the
Python Script itself (in order to ensure
manageability of the script, among others).
The corresponding "Bindings.____before_publishing_traverse__" does not work reliably when the Python Script is acquired.
This is because it uses the insecure "aq_explicit"
rather than the secure "aq_base" in its
test whether the script has the next URL segment
as attribute.
The fix is easy: replace "aq_explicit" by "aq_base"
in "Shared.DC.Scripts.Bindings.Bindings.____before_publishing_traverse__".
==============================================================