[Zope3-dev] Security question in page directive!

Roger Ineichen dev at projekt01.ch
Thu Oct 21 06:57:22 EDT 2004


Hi together,

I'm not sure, I think there is a sequrity
problem in zope\app\publisher\browser\viewmeta.py

I didn't find a usecase or test which is uesing
a configuration with allowed_attributes in
a page directive.  

Should the code at line "156" not make use of 
"allowed_attributes"? 

Otherwise "allowed_attributes" are nowhere used
in the page directive. Perhaps this affect also
the browser:view directive.

156> _handle_allowed_attributes(_context, allowed_interface, permission,
157>                               required)


Please can anybody take a look at this code?

Regards
Roger Ineichen
_____________________________
Projekt01 GmbH
www.projekt01.ch
Langackerstrasse 8
6330 Cham
phone     +41 (0)41 781 01 78
mobile    +41 (0)79 340 52 32
fax       +41 (0)41 781 00 78
email r.ineichen at projekt01.ch
_____________________________
END OF MESSAGE 



More information about the Zope3-dev mailing list