[on the subject of dtml picking the wrong context to look in first]

>>> I dont see a way to test this constraint, and it has proven impossible
>>> to avoid the problems using design rules. I recently checked some of
>>> our recent products using strategically placed debugging __getattr__
>>> hooks - with initially horrifying results.

Try applying this patch, which highlights every instance where it may
be possible to subvert the behaviour of a Zope application by adding a
carefully named property or subobject to the root folder.

A few minutes browsing through the management interface picked up over
200 incidents, listed at http://www.zope.org/Members/htrd/names

Many of these may be innocuous (and most are variations on a theme),
however I am sure that many are undiscovered bugs.

*** Application.py      2000/07/21 09:45:37     1.1.1.3
--- Application.py      2000/09/26 14:36:04
***************
*** 194,201 ****
--- 194,207 ----

      def title_and_id(self): return self.title
      def title_or_id(self): return self.title

+     def __getattr__(self,id,reg={}):
+         if not reg.has_key(id):
+             print `id`
+             reg[id]=id
+         raise AttributeError(id)
+
      def __init__(self):
          # Initialize users
          uf=UserFolder()
          self.__allow_groups__=uf



Toby Dickenson
[EMAIL PROTECTED]

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to