yuppie wrote at 2006-3-15 11:23 +0100:
> ...
>Zope 2's checkValidId makes sure this doesn't happen with Zope 2 folder 
>methods, Zope 3's NameChooser makes sure this doesn't happen with Zope 3 
>folder views. Even the bad_id-patch described above doesn't allow to 
>override folder methods.

Maybe, the "checkValidId" should refuse to add an object with
an id that hides a view declared for this folder and not
reject any id that might (potentially) hide a view because
it starts with "@" or "+"...

This would prevent the security concerns you seem to have
and allows for most ids to be accepted...

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to