[ZPT] Path interpolation

Shane Hathaway shane@zope.com
Fri, 02 Aug 2002 14:52:17 -0400


Evan Simpson wrote:
> The detail is this: if "path:$x" uses simple string interpolation (which 
> the syntax strongly implies), then given x="a/b", this expression is 
> equivalent to "path:a/b".  This isn't a problem if you defined 'x', but 
> it's a potential security hole if 'x' came from an untrusted source.
> 
> For example, if you put the following into a template:
> 
>   <img tal:attributes="src here/images/foo_${request/foonum}" />
> 
> ..then a hostile request with query string "foonum=003/path/to/bar" 
> could cause traversal to an arbitrary object.

Steve A. has talked about this before, and I still don't see why this 
can be considered a security hole.  HTTP URLs passed to Zope "cause 
traversal to an arbitrary object".  So traversal is already a highly 
protected operation.  Why do page templates have to be further limited?

Shane