[Zope-dev] Re: Security audit introduced problem
in PageTemplates/Expression.py
Dieter Maurer
dieter at handshake.de
Thu Jan 15 18:20:44 EST 2004
Jim Fulton wrote at 2004-1-15 17:23 -0500:
>BTW, telling me that an algorithm has changed doesn't constitute
>a use case. :) I know that algorithm has changed. I assert that
>we don't need the feature that the change broke. I am open
>to evidence to the contrary.
Do you have a convincing reason to change the behaviour?
I argue here with consistency:
When the "setDefaultAccess" function is called, it should
always be called with sensible (and consistent) arguments.
In my view, it is not consistent, that the function
is called with the attribute name when the attribute is accessed
via "attribute access syntax" but
called with "None" when the same attribute it accessed
via "item access syntax".
For security checks, the accessed object should be the driving factor
and not the particular way the access is made.
When we do not get this consistent, we open new hidden
security holes (as one must always think: can this
same object be accessed also in a different way
and how have I to secure this way).
--
Dieter
More information about the Zope-Dev
mailing list