|
Gregory Trubetskoy
grisha at modpython.org
Thu Jan 11 01:04:50 EST 2001
Looks like a rather big prolem to me...
I did some testing with ZPublisher, and it returns "Not Found" when trying
to access os, but does find string...
I haven't studies the code yet o find out why. I'd rather there was a way
to solve this problem without anything like __publish__...
--
Gregory (Grisha) Trubetskoy
grisha at modpython.org
On 10 Jan 2001, Dave Cole wrote:
> If I make the following module hello.py available via the publisher
> handler:
>
> """ Publisher example """
> import os
>
> def say(req, what="NOTHING"):
> return "I am saying %s" % what
>
> Then a browser request which looks like this:
>
> /hello/os/renames?old=/tmp/blah&new=/tmp/blah1
>
> will actually work (as the apache user). I am fairly sure that this
> is not desirable...
>
> If someone knows which modules you are importing in your code, they
> will be able to call any non-builtin function anywhere in the
> namespace.
>
> Maybe the publisher handler should only allow objects to be published
> if they have some sort of special attribute, __publish__ for example.
>
> - Dave
>
> --
> http://www.object-craft.com.au
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://www.modpython.org/mailman/listinfo/mod_python
>
|