[mod_python] Publisher handler has a small problem...

Gregory Trubetskoy grisha at modpython.org
Thu Jan 11 01:04:50 EST 2001


Looks like a rather big prolem to me...

I did some testing with ZPublisher, and it returns "Not Found" when trying
to access os, but does find string... 

I haven't studies the code yet o find out why. I'd rather there was a way
to solve this problem without anything like __publish__...

--
  Gregory (Grisha) Trubetskoy
       grisha at modpython.org

On 10 Jan 2001, Dave Cole wrote:

> If I make the following module hello.py available via the publisher
> handler:
> 
>         """ Publisher example """
>         import os
>         
>         def say(req, what="NOTHING"):
>             return "I am saying %s" % what        
> 
> Then a browser request which looks like this:
> 
>         /hello/os/renames?old=/tmp/blah&new=/tmp/blah1
> 
> will actually work (as the apache user).  I am fairly sure that this
> is not desirable...
> 
> If someone knows which modules you are importing in your code, they
> will be able to call any non-builtin function anywhere in the
> namespace.
> 
> Maybe the publisher handler should only allow objects to be published
> if they have some sort of special attribute, __publish__ for example.
> 
> - Dave
> 
> -- 
> http://www.object-craft.com.au
> 
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://www.modpython.org/mailman/listinfo/mod_python
> 




More information about the Mod_python mailing list