In zope/app/publisher/http.zcml we have

  <class class="zope.publisher.http.URLGetter">
        attributes="get __getitem__ __str__" />

I think this should be zope.Public. Otherwise unauthorized users viewing an untrusted page template will get errors from a template that tries to do things like tal:attributes="action request/URL".

A non-public permission is particularly problematic because URLGetter doesn't have an __parent__ attribute; therefore, there's no context for someone to *get* zope.View in the current public zope 3 security policies (and even then, the context would be request, and where should *it* get a security context?)

Objections? I probably won't port this back to 3.3 unless folks request it, since I'm not sure if it is a bugfix (port) or a policy change (don't port).

I'm going to change this in the trunk now.

Zope3-dev mailing list

Reply via email to