Graham Dumpleton
grahamd at dscpl.com.au
Mon Mar 14 21:51:02 EST 2005
Jorey Bump wrote .. > It might sound like a lot of work, but with good planning it can set a > solid foundation for future projects, thus saving a *lot* of time in the > long run. By using this approach, along with dotted notation imports, > explicit restriction of *from imported objects with __all__, and > enclosing almost everything in functions, I haven't been affected by any > of the recent security issues, including this one. I would be intrigued to know how you think you weren't affected at all by the object traversal bug which was fixed in 3.1.4 if you were using publisher. If you were exporting any function, or method of an object you would have potentially been affected even if your code was stored outside of the document tree. Are you still running 3.1.3 on your web site? If you are, care to tell me some URLs of exported methods in your web application so I can see what I can find. Your most private data may not have been exposed if you were indeed careful, but other internal data could still have been which should not have.
|