On 13/12/09 10:52, Tres Seaver wrote:

> Doesn't smell like a regression to me:  the code there hasn't changed in
> a good long while.  Can you write a test case for it, so that we can
> test against earlier versions?

Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html

This is the same problem.

You said:

"This is becuase
'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
'python:' expressions;  path traversal is still governed by
'boboAwareZopeTraverse', which uses 'restrictedTraverse'."

and then:

"As it turns out, it is only "partially trusted."  The attached patch
should make them "really trusted", at least for path expressions;  does
it help?  I haven't added any tests, although my 2.10 branch checkout
does pass all tests with this change"

The attachment is here:


I'm going to poke around a Zope 2.12 checkout for a bit to see what 
sense I can make of this.


Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope )

Reply via email to