Prevent sandbox escape via 'BaseRequest.traverseName'.

Fixes LP #1095343.

Prevent sandbox escape via 'BaseRequest.traverseName'.
Fixes LP #1095343.
398c5bc8 · Tres Seaver · 162b2dbb · 398c5bc8
Commit 398c5bc8 authored Jul 05, 2013 by Tres Seaver
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

src/ZPublisher/BaseRequest.py src/ZPublisher/BaseRequest.py +1 -0

No files found.
--- a/src/ZPublisher/BaseRequest.py
+++ b/src/ZPublisher/BaseRequest.py
@@ -346,6 +346,7 @@ class BaseRequest:
            ob2 = adapter.publishTraverse(self, name)

        return ob2
+    traverseName__roles__ = ()

    def traverse(self, path, response=None, validated_hook=None):
        """Traverse the object space