Re: [Zope] Can I trust the variables?
Jan-Frode Myklebust writes:
I'm doing a external method that's supposed to zip-up files selected via LocalFS, and I'm wondering if I can trust the special variables set in a request. Can I trust that f.ex. URL/URLn/URLPATHn are from where the external method was called, and not set by the user via http-headers? We recently discovered a bug in Zope (--> list archives):
a REQUEST parameter named URL lets Zope create a really strange URL. In Zope 2.3, URL<i> and friends are not affected. HTTP Header should not be a problem, as they are prefixed with "HTTP_". Dieter
On Mon, Mar 26, 2001 at 08:02:12PM +0200, Dieter Maurer wrote:
Jan-Frode Myklebust writes:
I'm doing a external method that's supposed to zip-up files selected via LocalFS, and I'm wondering if I can trust the special variables set in a request. Can I trust that f.ex. URL/URLn/URLPATHn are from where the external method was called, and not set by the user via http-headers? We recently discovered a bug in Zope (--> list archives):
a REQUEST parameter named URL lets Zope create a really strange URL. In Zope 2.3, URL<i> and friends are not affected.
HTTP Header should not be a problem, as they are prefixed with "HTTP_".
I'm not sure it I undestood that right.. Where is the URLn variable set? On the client side, or on the server side after the client has requested an external method? -jf
Jan-Frode Myklebust writes:
On Mon, Mar 26, 2001 at 08:02:12PM +0200, Dieter Maurer wrote:
Jan-Frode Myklebust writes:
.... Can I trust that f.ex. URL/URLn/URLPATHn are from where the external method was called, and not set by the user via http-headers? We recently discovered a bug in Zope (--> list archives):
a REQUEST parameter named URL lets Zope create a really strange URL. In Zope 2.3, URL<i> and friends are not affected.
HTTP Header should not be a problem, as they are prefixed with "HTTP_".
I'm not sure it I undestood that right.. Where is the URLn variable set? On the client side, or on the server side after the client has requested an external method? The URLn (and friends) are set by ZPublisher during URL traversal (details:
URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html ). But, due to a bug in Zope (at least until 2.3.1), a parameter (inside the HTTP request, i.e. under client control) named "URL" influences the generation of the URL variable in Zope. To stress it again: this is a bug; it should not be but it is. Look in the list archive or the Zope's Collector for details. Dieter
participants (2)
-
Dieter Maurer -
Jan-Frode Myklebust