[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Traversing - init.py:1.4

Tue, 18 Jun 2002 17:49:29 -0400

Update of /cvs-repository/Zope3/lib/python/Zope/App/Traversing
In directory cvs.zope.org:/tmp/cvs-serv28402

Modified Files:
	__init__.py 
Log Message:
added documentation warning against naively traversing using form
values.


=== Zope3/lib/python/Zope/App/Traversing/__init__.py 1.3 => 1.4 ===
     Raises NotFoundError if path cannot be found
     Raises TypeError if place is not context wrapped
+    
+    Note: calling traverse with a path argument taken from an untrusted
+          source, such as an HTTP request form variable, is a bad idea.
+          It could allow a maliciously constructed request to call 
+          code unexpectedly.
     """
     if not _isWrapper(place):
         raise TypeError, "Not enough context information to traverse"

[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Traversing - __init__.py:1.4

[Zope-Checkins] CVS: Zope3/lib/python/Zope/App/Traversing - init.py:1.4