[Zope-dev] getattr in a PythonMethod

Kevin Littlejohn Kevin Littlejohn <darius@connect.com.au>
Thu, 24 Feb 2000 10:29:00 +1100


getattr is an evil function, and as such isn't allowed in PythonMethods,
I'm fairly sure.  The reason it's bad is it opens up some neat tricks:

getattr(self, 'x_db'[1:])

This isn't caught easily by much of anything, and allows the PythonMethod
author to reach _ attributes on objects - which would subvert some of the
PythonMethods security.

(Noting you can already do the same thing with self['x_db'[1:]] anyway, but
it's assumed nothing valuable lives there ;)

KevinL

>>> "Kevin Dangoor" wrote
> I'm running Zope 2.1.4 and PythonMethod 0.1.7, and I'm running into an
> AttributeError for "validate" when I do:
> 
> dtml = getattr(self, 'popular.html')
> 
> I don't know of another way to get at "popular.html" from python. This line
> is definitely the issue though...
> 
> The method is called with self, REQUEST as parameters.
> 
> Any ideas?
> 
> Kevin
> 
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
> 
> 

--------------- qnevhf@obsu.arg.nh ---------------
Kevin Littlejohn,
Technical Architect, Connect.com.au
Don't let the Govt censor our access to the 'net -
http://www.efa.org.au/Campaigns/stop.html