Steve Alexander writes:
> I'm hacking around with some external methods called aq_containment and
> aq_context.
>
> I just found out that I can't call them from DTML. I can call them from
> the URL line of a browser just fine.
>
> If I rename them to a_containment and a_context, they work from DTML.
>
> I guess there's something in Acquisistion.c that reserves all aq_.*
> names.
The code is in "AccessControl.ZopeSecurityPolicy.validate".
It allows access to "aq_explicit" and "aq_parent" only.
I am a bit astonished that URL traversal is possible.
Probably, this was not intended.
Dieter
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
