At 10:34 PM 3/9/2003, Edward Muller wrote:
All that things like :record and :records do (after reading various docs) is pass a variable names items with the following attributes .desc, .item, .qty. What you do with that variable is then up to you.
Indeed.
I don't see how using this functionality is in any way a security hole.
By itself, it's probably not. But it facilitates insecure coding habits. I already suspect that poor validation is rampant in Zope. One of the classic questions that pops up here from time to time is how you're supposed to capture the "off" value of checkboxes when you only get information on the ones that are checked. This question betrays a deep, dark secret lurking in many web apps: many developers have no idea what fields to expect nor what rules their data can be validated against. Relying on the client to pass along special type & structure codes suggests a similarly high level of uncertainty as to what data is expected and what rules it should be validated against. It's not the feature itself, but the avoidance of validation that gives me concern. But every application has its own requirements and its own environment. Each of us needs to determine what level of paranoia is justified by the specific requirements of each system. Dylan