[Zope-dev] HTML() security questions

Martijn Faassen m.faassen@vet.uu.nl
Thu, 13 Jan 2000 18:21:14 +0100


Hi there,

I'm working with Chuck Burdick on some changes to ZFormulator that allow
arbitrary DTML in some field definitions. Chuck got it working by doing
this:

HTML(foo).__call__(self)

where 'foo' is a string that may contain DTML statements.

This appears to work, but does not do any security checks; if the DTML
for instance contains this:

<dtml-var locked>

where 'locked' is a DTML Method that should be inaccessible by anonymous
('view' and 'access contents information' both turned off), the code
happily continues and lets anonymous view 'locked' just fine.

How to pass along authentication information to the HTML() object? (am I
asking the right question?) Is there any documentation on how this works
altogether? I dug some through the source but I'm not getting very
enlightened. It appears that some validate() method is called, but I'm
basically quite in the dark.

This kind of issue would likely be important to many product developers
that want to use DTML in this way; we don't want products to leave such
security holes.

Regards,

Martijn