|
Dave Cole
djc at object-craft.com.au
Wed Jan 10 16:49:57 EST 2001
If I make the following module hello.py available via the publisher
handler:
""" Publisher example """
import os
def say(req, what="NOTHING"):
return "I am saying %s" % what
Then a browser request which looks like this:
/hello/os/renames?old=/tmp/blah&new=/tmp/blah1
will actually work (as the apache user). I am fairly sure that this
is not desirable...
If someone knows which modules you are importing in your code, they
will be able to call any non-builtin function anywhere in the
namespace.
Maybe the publisher handler should only allow objects to be published
if they have some sort of special attribute, __publish__ for example.
- Dave
--
http://www.object-craft.com.au
|