Steve Alexander writes:
 > I'm hacking around with some external methods called aq_containment and
 > aq_context.
 > I just found out that I can't call them from DTML. I can call them from
 > the URL line of a browser just fine.
 > If I rename them to a_containment and a_context, they work from DTML.
 > I guess there's something in Acquisistion.c that reserves all aq_.*
 > names.
The code is in "AccessControl.ZopeSecurityPolicy.validate".
It allows access to "aq_explicit" and "aq_parent" only.

I am a bit astonished that URL traversal is possible.
Probably, this was not intended.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to