[Zope-dev] Possible security problem with DTML
Shane Hathaway
shane@zope.com
Mon, 24 Mar 2003 22:38:31 -0500
On 03/24/2003 12:28 PM, kosh wrote:
> On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote:
>
>>On Fri, 2003-03-21 at 20:08, kosh wrote:
>>
>>>I am having a problem where DTML is allowing access to an attribute of an
>>>object that restrictedTraverse and regular . notation denies from a
>>>python script.
>>
>>This is pretty serious. You should post this as a bug in the collector.
>>
>> Cheers, Leo
>
>
> Yeah I will report this to the collector I just wanted to see if anyone else
> had seen this or thought it was a bug or some really weird thing that is
> supposed to happen but not documented. It would not be the first time that
> zope had some really strange stuff in it. ;)
Are you talking about a DTMLFile in a Python product? DTMLFiles do not
check security (nor do they normally need to, since they are trusted).
Shane