[Zope-dev] Possible Zope 2.12 regression - Five page templates use restrictedTraverse for TAL
Martin Aspeli
optilude+lists at gmail.com
Sun Dec 13 03:49:35 EST 2009
On 13/12/09 10:52, Tres Seaver wrote:
> Doesn't smell like a regression to me: the code there hasn't changed in
> a good long while. Can you write a test case for it, so that we can
> test against earlier versions?
Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html
This is the same problem.
You said:
"This is becuase
'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
'python:' expressions; path traversal is still governed by
'boboAwareZopeTraverse', which uses 'restrictedTraverse'."
and then:
"As it turns out, it is only "partially trusted." The attached patch
should make them "really trusted", at least for path expressions; does
it help? I haven't added any tests, although my 2.10 branch checkout
does pass all tests with this change"
The attachment is here:
http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachment.bin
I'm going to poke around a Zope 2.12 checkout for a bit to see what
sense I can make of this.
Martin
--
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book
More information about the Zope-Dev
mailing list