[ZPT] Path interpolation
Shane Hathaway
shane@zope.com
Fri, 02 Aug 2002 14:52:17 -0400
Evan Simpson wrote:
> The detail is this: if "path:$x" uses simple string interpolation (which
> the syntax strongly implies), then given x="a/b", this expression is
> equivalent to "path:a/b". This isn't a problem if you defined 'x', but
> it's a potential security hole if 'x' came from an untrusted source.
>
> For example, if you put the following into a template:
>
> <img tal:attributes="src here/images/foo_${request/foonum}" />
>
> ..then a hostile request with query string "foonum=003/path/to/bar"
> could cause traversal to an arbitrary object.
Steve A. has talked about this before, and I still don't see why this
can be considered a security hole. HTTP URLs passed to Zope "cause
traversal to an arbitrary object". So traversal is already a highly
protected operation. Why do page templates have to be further limited?
Shane