[ZPT] Re: Path Interpolation
Jim Fulton
jim@zope.com
Tue, 06 Aug 2002 08:18:54 -0400
> I just noticed that
> http://dev.zope.org/Wikis/DevSite/Projects/ZPT/VariablesInPaths appears
> to have the approval of both Guido and Jim, so I'm hoping to clean up
> one detail and then implement it.
No, it does not have my approval. I suppose I should go ahead
and officially reject it.
I can live with making the current undocumented path interpolation
syntax official and changing the special character to a '$'.
I am against making it equivalent to string interpolation, which is
why I'm still queezy about using the '$' symbol. The purpose
of interpolation is to let a name or *key* be provided as data.
In such a case, a slash should not be significant in the name or key.
> The detail is this: if "path:$x" uses simple string interpolation (which
> the syntax strongly implies), then given x="a/b", this expression is
> equivalent to "path:a/b". This isn't a problem if you defined 'x', but
> it's a potential security hole if 'x' came from an untrusted source.
>
> For example, if you put the following into a template:
>
> <img tal:attributes="src here/images/foo_${request/foonum}" />
>
> ...then a hostile request with query string "foonum=003/path/to/bar"
> could cause traversal to an arbitrary object.
>
> This is why the current (undocumented) syntax "path:var1/?var2" is
> designed so that "?var2" is always a single path step when 'var2'
> contains a string.
As I remember it, the reason for this is that the value of var2 might
contain characters that would be meaningful in a path expression if they
were interpreted, this breaking the interpolation in odd and unexpected
ways.
> It *does* traverse multiple steps if 'var2' contains
> a sequence, which combined with Zope's ':list' marshalling causes the
> same problem :-(
This sounds like a bad missfeature. This is one of the reasons that this
was an experimental feature.
> Normally I would expect the default case to the safe one, while allowing
> you to explicitly accept risk (as with HTML-escaping and the 'structure'
> keyword). In this case, though, I suspect that the vast majority of
> usage will not involve untrusted data, and the expected semantics of '$'
> are strong enough to choose the other course.
Do we have anyt use cases where people *really* want the value of an
interpolated variable to be treated as a path expression? I can't
think of any.
> I recommend that '$'-expansion be treated as simple string
> interpolation, and that an alternate syntax should be provided which
> renders slashes in the value inert. This could be '?', suitably
> altered, so that "here/images/foo_?{request/foonum}" would cause the
> example above to look for (and probably fail to find) an object in
> 'here/images' with the id "foo_003/path/to/bar".
I recommend that the current syntax be made official absent the sequence
handling missfeature, as you suggest.
This means that interpolation can only be performed for a path segment,
the '?' is only meaningful immediately after a slash, and characters in
the interpolated value have no meaning other than data.
I could have my arm twisted to use the '$' character, but I think
that this is a bad idea.
I would need to see some really convincing use cases to support
general string interpolation in paths.
Jim
--
Jim Fulton mailto:jim@zope.com Python Powered!
CTO (888) 344-4332 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org