[Zope] Can I trust the variables?

Dieter Maurer dieter@handshake.de
Tue, 27 Mar 2001 23:04:44 +0200 (CEST)


Jan-Frode Myklebust writes:
 > On Mon, Mar 26, 2001 at 08:02:12PM +0200, Dieter Maurer wrote:
 > > Jan-Frode Myklebust writes:
 > >  > .... Can I trust that f.ex. URL/URLn/URLPATHn are from where the external
 > >  > method was called, and not set by the user via http-headers? 
 > > We recently discovered a bug in Zope (--> list archives):
 > > 
 > >   a REQUEST parameter named URL lets Zope create a really
 > >   strange URL.
 > >   In Zope 2.3, URL<i> and friends are not affected.
 > > 
 > > HTTP Header should not be a problem, as they are prefixed with
 > > "HTTP_".
 > > 
 > 
 > I'm not sure it I undestood that right.. Where is the URLn variable set? On
 > the client side, or on the server side after the client has requested an 
 > external method? 
The URLn (and friends) are set by ZPublisher during URL
traversal (details:

  URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html

).

But, due to a bug in Zope (at least until 2.3.1),
a parameter (inside the HTTP request, i.e.
under client control) named "URL" influences
the generation of the URL variable in Zope.
To stress it again: this is a bug; it should
not be but it is.

Look in the list archive or the Zope's Collector
for details.


Dieter