15 Sep
2000
15 Sep
'00
7:45 p.m.
Steve Alexander writes:
I'm hacking around with some external methods called aq_containment and aq_context.
I just found out that I can't call them from DTML. I can call them from the URL line of a browser just fine.
If I rename them to a_containment and a_context, they work from DTML.
I guess there's something in Acquisistion.c that reserves all aq_.* names. The code is in "AccessControl.ZopeSecurityPolicy.validate". It allows access to "aq_explicit" and "aq_parent" only.
I am a bit astonished that URL traversal is possible. Probably, this was not intended. Dieter