[Zope] assignment to form records

Edward Muller edwardam@interlix.com
10 Mar 2003 00:34:59 -0600


All that things like :record and :records do (after reading various
docs) is pass a variable names items with the following attributes
.desc, .item, .qty. What you do with that variable is then up to you.

I don't see how using this functionality is in any way a security hole.


I would love a an equivalent :object and :objects flag something like
this:

<dtml-in "range(item_count)">
  <input type=text size=30 name="items.desc:objects:Item">
  <input type=text size=15 name="items.item:objects:Item">
  <input type=text size=10 name="items.qty:objects:Item">
</dtml-in>

Where an 'object' (or objects) is created (Python class is instantiated)
and getter and setter methods for .desc, .item and .qty get called with
the provided values. For instance the above snippet would create a new
object called items, which is an instance of class Item. Class Item
would have get_desc, get_item, get_qty, set_desc, set_item, set_qty
methods. These would then act as classic getter and setter methods.

On Sat, 2003-03-08 at 21:56, Dylan Reinhardt wrote:
> At 03:29 PM 3/8/2003, Eduardo Bastos wrote:
> 
> >for example (record)...
> ><input type=text name=person.name:record size=30>
> >you have a method person and an attribute name.
> >
> >for example (records)...
> ><dtml-in "range(item_count)">
> >   <input type=text size=30 name="items.desc:records">
> >   <input type=text size=15 name="items.item:records">
> >   <input type=text size=10 name="items.qty:records">
> ></dtml-in>
> 
> My unsolicited $.02:
> 
> You may want to think twice about relying on this for a public-facing 
> production system.
> 
> The first rule of security for a public web site is to validate *all* 
> client input.  That includes posted values, *and* field names.
> 
> Depending on the client to post a form without tweaking the field names is 
> a pretty trusting position to take, IMO.  If you're going to validate your 
> data anyway, what's the point of specifying data types at any point prior 
> to validation?
> 
> Including meaningful field names in your form just gives you one more 
> failure point... it's one more thing you should be validating but most 
> likely aren't, or you wouldn't be using it in the first place.
> 
> The field name hack is a really neat trick... but it's not something I'd 
> advise depending on for anything important that gets public exposure.
> 
> FWIW,
> 
> Dylan
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
-- 
Edward Muller

Interlix - President

Web Hosting - PC Service & Support
Custom Programming - Network Service & Support

Phone: 417-862-0573
 Cell: 417-844-2435
  Fax: 417-862-0572

http://www.interlix.com