> I recently asked how to read in and render the contents of 
> an external file, which doesn't work anymore using 
> Zope 2.2.2 an LocalFS' xxx.read(), and You responded that
> > The quickest solution for you would be an external method
> > that gets the file, performs the "read" and returns the result.
> Now I use in an external method fsreadin a .py-module with
> import sys
> def readinfile (self, html):
>     """Ralf Herolds way to read in local file objects."""
>     file = open(html, "r")
>     filecontent = file.read()
>     file.close()
>     return filecontent
> which is referenced in a DTML method by 
> <dtml-var "fsreadin('/tmp/var/thewantedtext.html')">.
> It works, but I almost cannot believe that this is that 
> simple - am I missing something, is security a concern?

It *is* that simple. The only problem is security. That way, you can read
*any* file that has read permission for the user, the zope process is
running on, e.g. everybody could use something like
http://your.host/fsreadin?html='/etc/passwd' to view your password file.
If you want to read files only from one directory, you could use:

import sys, os, string
def readinfile (self, file):
    """Ralf Herolds way to read in local file objects."""
    file = open(path, "r")
    filecontent = file.read()
    return filecontent

This would ensure, that only files from /tmp/var can be read.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to