names starting with ' (at) ' are not reserved
- From: Dieter Maurer <dieter (at) handshake.de>
- Date: Wed, 15 Mar 2006 21:51:50 +0100
yuppie wrote at 2006-3-15 11:23 +0100:
> ...
>Zope 2's checkValidId makes sure this doesn't happen with Zope 2 folder
>methods, Zope 3's NameChooser makes sure this doesn't happen with Zope 3
>folder views. Even the bad_id-patch described above doesn't allow to
>override folder methods.
Maybe, the "checkValidId" should refuse to add an object with
an id that hides a view declared for this folder and not
reject any id that might (potentially) hide a view because
it starts with " (at) " or "+"...
This would prevent the security concerns you seem to have
and allows for most ids to be accepted...
--
Dieter
_______________________________________________
Zope-Dev maillist - Zope-Dev (at) zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )