[Zope3-dev] Re: URLs & Paths
Shane Hathaway
shane@zope.com
Wed, 12 Dec 2001 11:15:55 -0500
Tim Hoffman wrote:
> I gotta say say the .../contact/view;acquire business really makes me
> worried.
>
> I know I must be missing heaps here, but doesn't this mean
> that we are making the behaviour of acquisition visible and therefore
> invokeable from outside the system, (ie just by the inclusion or removal
> of an argument in a URL.) Could this not lend itself to exploits.
Not any worse than today. Today you simply don't have to specify
";acquire"--yet things are still acquired, which can indeed lead to
exploits. Fortunately the security machinery isn't fooled this way.
Shane