[Zope] From ColdFusion to Zope: help with <dtml-if>?

Farrell, Troy troy.farrell@wcg.com
Thu, 19 Jul 2001 14:44:35 -0500 

It sounds to me like you needs something like this in an external method:

import os.path

def ExternalFile(REQUEST):
  # Do security checks on REQUEST.filename
  # and REQUEST.oldfile
  # here
  if os.path.exists(REQUEST.filename) and os.path.isfile(REQUEST.filename):
    file = open(REQUEST.filename,'rb')
  elif os.path.exists(REQUEST.filename) and
os.path.isfile(REQUEST.filename):
    file = open(REQUEST.oldfile,'rb')
  buffer = file.read()
  file.close()
  REQUEST.RESPONSE.setHeader('Content-Type','application/pdf')
  return buffer

where REQUEST.filename is the current filename and REQUEST.oldfile is the
previous file.  Adjust the REQUEST.RESPONSE.setHeader to match your
filetype.
There are some _serious_ security concerns.  I don't know regexps well
enough, but you should definately use them to parse REQUEST.filename and
ensure that when you take the path to the file from the REQUEST variable,
you aren't giving away good files.  If you don't take care, I can use this
to get
http://yourserver/ExternalFile?filename=C:\My%20Documents\Confidential.doc ,
or on a unix box, if Zope is running as root to run on port 80, I'll do a
http://yourserver/ExternalFile?filename=/etc/passwd and
http://yourserver/ExternalFile?filename=/etc/shadow .  The method above is
not secure.  YOU COULD GET BITTEN REALLY BAD IF YOU DON'T MODIFY THE METHOD
ABOVE.  That said, this is more along the lines of what you want.  The
filenames are stored in REQUEST because that's where ZSQL methods work.

Troy

-----Original Message-----
From: Thomas B. Passin [mailto:tpassin@mitretek.org]
Sent: Thursday, July 19, 2001 8:22 AM
To: Zope@zope.org
Subject: Re: [Zope] From ColdFusion to Zope: help with <dtml-if>?


[Bob Campbell]

> I'm probably not explaining right, (certainly wouldn't be the first time).
> She is connecting through an ODBC connection and she can run a select *
and
> pull up all the links for the reports. The links are hardcoded in the db.
> When, for example, the Zope page is requested it runs the select all query
> and presents a list with dates and report name.(for 8 banks). That works
> fine....
> The the problem comes in when she has to ask if a link to a file is
> available (it may or may not be) if it is then put it up, if it isn't, put
> up the old file.
>

If the variable is known to exist but might be an empty string, you can test
with a <dtml-if>:

<dtml-if filevar>...</dtml-if>

If the variable might or might not exist,  you can look up how to check for
the existence of a variable that might be known to a dtml page.

If you need to check the file system to see if a named file is actually
there, you need to use Python (as others have said) or install the LocalFS
product (easy to do).  LocalFS knows how to access the file system for you.

Cheers,

Tom P


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )