Tres Seaver wrote:
Stuart Bishop wrote:

On 13/01/2004, at 4:19 PM, Stuart Bishop wrote:

The 'security audit work for the 2.7 branch' commit on 8th Jan made
the following change in PageTemplates/Expression.py:




As well as in other locations such as ZopeGuards.py.


I've opened http://collector.zope.org/Zope/1182 with some
example code.

I have trouble following this issue. I have no idea what the point of the attached code is.


Anyone know if None is being passed as the name in some locations?
I don't think it would be helpful for me to go around reversing
code changed by a security audit without some background.


I committed that change, but didn't do the original work. I did have a discussion with Jim which touched on it: the purpose of the change was to make access via '__getitem__' homogenous across all keys / indexes, because (as we thought, anyway) there was not any reasonable use case for heterogenous access.

Right. The name attribute was intended for attribute-based access.


IMO, it makes no sense to consider key values when doing security
checks.

I will let Jim comment on your use case.

What use case? I missed it. Where is it?


Jim

--
Jim Fulton           mailto:[EMAIL PROTECTED]       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org



_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to