[Zope] Can I trust the variables?
Dieter Maurer
dieter@handshake.de
Tue, 27 Mar 2001 23:04:44 +0200 (CEST)
Jan-Frode Myklebust writes:
> On Mon, Mar 26, 2001 at 08:02:12PM +0200, Dieter Maurer wrote:
> > Jan-Frode Myklebust writes:
> > > .... Can I trust that f.ex. URL/URLn/URLPATHn are from where the external
> > > method was called, and not set by the user via http-headers?
> > We recently discovered a bug in Zope (--> list archives):
> >
> > a REQUEST parameter named URL lets Zope create a really
> > strange URL.
> > In Zope 2.3, URL<i> and friends are not affected.
> >
> > HTTP Header should not be a problem, as they are prefixed with
> > "HTTP_".
> >
>
> I'm not sure it I undestood that right.. Where is the URLn variable set? On
> the client side, or on the server side after the client has requested an
> external method?
The URLn (and friends) are set by ZPublisher during URL
traversal (details:
URL:http://www.dieter.handshake.de/pyprojects/zope/book/chap3.html
).
But, due to a bug in Zope (at least until 2.3.1),
a parameter (inside the HTTP request, i.e.
under client control) named "URL" influences
the generation of the URL variable in Zope.
To stress it again: this is a bug; it should
not be but it is.
Look in the list archive or the Zope's Collector
for details.
Dieter