[Zope-dev] Re: DTML and REQUEST data changes about to be checked in

Martijn Pieters mj@zope.com
Thu, 1 Aug 2002 12:34:30 -0400


On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote:
> Hopefully I'll get a chance to test it with some of our 2.5 sites - I hav=
e a
> small worry that old code on small sites that we don't have much worry ab=
out
> will break if this is put into a 2.5.2 or later release.  Could there be a
> way to disable this "feature" in 2.5 via a z2/environment variable or some
> other configuration setting, but have it be automatic in 2.6?  "Potential
> code breakage" and "point point release" leave me a little worried about
> maintaining 2.5 sites.
>=20
> It may not be an issue - I have to digest the changes in more depth that
> I've had (or currently have) time for, but that's the thought that crossed
> my mind earlier.

=46rom a technical standpoint I can indeed add a switch that would disable =
the
occurence of tainted strings, yes. I'll discuss this with Brian, it
shouldn't be hard to add.

But note that breakage only occurs when REQUEST data actually contains
possibly dangerous markup, and your site was vulnerable in those areas that
now break. Disabeling the tainting will leave you vulnerable.

--=20
Martijn Pieters
| Software Engineer  mailto:mj@zope.com
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------