[Zope] Securing Zope and Special URLs

Jamie Heilman jamie at audible.transient.net
Thu Sep 11 02:35:54 EDT 2003


Dylan Reinhardt wrote:
> On Wed, 2003-09-10 at 16:46, Roy Rapoport wrote:
> > Jamie Heilman wrote:
> > [Zope Security is an oxymoron]
> > > 3) Never use DTML.
> > 
> > Why?
> 
> Because DTML offends some Zope users' sense of aesthetics, that's why.

It goes beyond that.  DTML is a stack of namespaces, and more often
than not the end results are unpredictable.  The ZMI, largely made up
of DTMLFile objects, is painfully susceptible to abuse, for example:
drop an object called URL or URL1 or BASEPATH1 into your zodb, then
try to manage objects at the same level, but notice how everything
breaks... thats DTML in a nutshell.  Now, its not that DTML is
impossible to write such that the expected results are always
realized, its that very few people, including ZC, bother to do so
because it means heavy use of fully qualified variables, which are
frequently inconvienent and appear overly verbose.  (you end up with a
lot of "<dtml-var REQUEST.BASEPATH1 html_quote>" instead of
"&dtml-BASEPATH1;").  By now folks have mostly learned that explicit
qualification is prefered to implicit qualification, and its not
simply a matter of aesthetics at stake, but rather a matter of
predictability and sanity at even the most basic levels of authorship.
DTML was an interesting experiment in contextual namespace collusion,
it failed, and now we have ZPT.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"You came all this way, without saying squat, and now you're trying
 to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile?
 I liked you better when you weren't saying squat kid." -Buddy



More information about the Zope mailing list