On 13/12/09 10:52, Tres Seaver wrote:
Doesn't smell like a regression to me: the code there hasn't changed in a good long while. Can you write a test case for it, so that we can test against earlier versions?
Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html This is the same problem. You said: "This is becuase 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts 'python:' expressions; path traversal is still governed by 'boboAwareZopeTraverse', which uses 'restrictedTraverse'." and then: "As it turns out, it is only "partially trusted." The attached patch should make them "really trusted", at least for path expressions; does it help? I haven't added any tests, although my 2.10 branch checkout does pass all tests with this change" The attachment is here: http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachm... I'm going to poke around a Zope 2.12 checkout for a bit to see what sense I can make of this. Martin -- Author of `Professional Plone Development`, a book for developers who want to work with Plone. See http://martinaspeli.net/plone-book