[Zope-dev] Re: Security audit introduced problem in PageTemplates/Expression.py

Dieter Maurer dieter at handshake.de
Thu Jan 15 17:58:14 EST 2004


Jim Fulton wrote at 2004-1-15 17:23 -0500:
> ...
>None should never be passed for attribute accesses. If it is,
>then there is a bug.  The case of dictionary mapping names to
>whatever is for attribute access.  We are talking about item/key
>access. I haven't seen a use case for needing to specify separate access
>for separate key values.

The original problem report (at least the one I read in
this mailing list) was that a function
registered with "setDefaultAccess" was called with
"None" as "name" argument.

I expect that such a function is not called for dictionary or list access
but only for access to (class) instances.
When it is called, the name is relevant, as usually the name
will be used to distinquish which attributes should be accessible
and which not. 

-- 
Dieter



More information about the Zope-Dev mailing list