Re: getSlice error in wiki folder with many objects?
By jove, you've got it! For the moment, I don't want to touch ZMI code. So I deleted the URL object. (I had previously made a hack for deleting stuff.) thx! (for others' reference, the offending code is within /App/dtml/manage_tabs.dtml ) --- In zope@yahoogroups.com, Jamie Heilman <jamie@a...> wrote:
Chances are somebody named an object in that folder "URL" and DTML's stupid name space games are causing you pain. A great example of why DTML is a dead end. To fix, try replacing the expr with:
REQUEST['URL'][-(_.len(action)):]==action or REQUEST['URL'][-17:]=='/manage_workspace' and _['sequence-start']
__________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
Bill Seitz wrote:
By jove, you've got it!
I wish I could say I'm surprised. As long as the ZMI uses DTML it will be vulnerable to a host of stupid attacks like this one, wherever a user is allowed to create objects in the zodb with an id of their choosing. The ZMI really needs to be completely redone using page templates but its a) a lot of work, and b) very tricky in parts thanks to import dependancies. -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz
participants (2)
-
Bill Seitz -
Jamie Heilman