Skip to content

Z
Zope
Commit 713a4f22 authored by 's avatar
Browse files
Options

Made a change to the traverse() method to disallow traversal of the REQUEST.

parent 0816d3ba
Hide whitespace changes
Inline Side-by-side
Showing with 7 additions and 1 deletion
lib/python/ZPublisher/BaseRequest.py
View file @ 713a4f22
...@@ -82,7 +82,7 @@ ...@@ -82,7 +82,7 @@
# attributions are listed in the accompanying credits file. # attributions are listed in the accompanying credits file.
# #
############################################################################## ##############################################################################
__version__='$Revision: 1.16 $'[11:-2] __version__='$Revision: 1.17 $'[11:-2]
from string import join, split, find, rfind, lower, upper from string import join, split, find, rfind, lower, upper
from urllib import quote from urllib import quote
...@@ -227,6 +227,10 @@ class BaseRequest: ...@@ -227,6 +227,10 @@ class BaseRequest:
if response is None: response=self.response if response is None: response=self.response
debug_mode=response.debug_mode debug_mode=response.debug_mode
# Make sure that REQUEST cannot be traversed.
if find(path, 'REQUEST') >= 0:
return response.notFoundError(path)
if path[:1] != '/': path='/'+path if path[:1] != '/': path='/'+path
if path[-1:] != '/': path=path+'/' if path[-1:] != '/': path=path+'/'
if find(path,'/.') >= 0: if find(path,'/.') >= 0:
...@@ -459,6 +463,8 @@ class BaseRequest: ...@@ -459,6 +463,8 @@ class BaseRequest:
""" """
self._held=self._held+(object,) self._held=self._held+(object,)
def old_validation(groups, request, auth, def old_validation(groups, request, auth,
roles=UNSPECIFIED_ROLES): roles=UNSPECIFIED_ROLES):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7