Jan-Frode Myklebust writes:
On Mon, Mar 26, 2001 at 08:02:12PM +0200, Dieter Maurer wrote:
Jan-Frode Myklebust writes:
.... Can I trust that f.ex. URL/URLn/URLPATHn are from where the external method was called, and not set by the user via http-headers? We recently discovered a bug in Zope (--> list archives):
a REQUEST parameter named URL lets Zope create a really strange URL. In Zope 2.3, URL<i> and friends are not affected.
HTTP Header should not be a problem, as they are prefixed with "HTTP_".
I'm not sure it I undestood that right.. Where is the URLn variable set? On the client side, or on the server side after the client has requested an external method? The URLn (and friends) are set by ZPublisher during URL traversal (details:
URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html ). But, due to a bug in Zope (at least until 2.3.1), a parameter (inside the HTTP request, i.e. under client control) named "URL" influences the generation of the URL variable in Zope. To stress it again: this is a bug; it should not be but it is. Look in the list archive or the Zope's Collector for details. Dieter