diff options
author | Steve Alexander <steve@z3u.com> | 2002-06-18 21:49:28 +0000 |
---|---|---|
committer | Steve Alexander <steve@z3u.com> | 2002-06-18 21:49:28 +0000 |
commit | 3fba666f642b7335ae6f57eb1116ab92c7ffeab2 (patch) | |
tree | a699f6943bdeae2d4938e1d5c44499188cf84eca | |
parent | e27c5ec1065728cd6007e8c49ff0b681267773a1 (diff) | |
download | zope-traversing-3fba666f642b7335ae6f57eb1116ab92c7ffeab2.tar.gz |
added documentation warning against naively traversing using form
values.
-rw-r--r-- | __init__.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/__init__.py b/__init__.py index ff17ff4..cab237d 100644 --- a/__init__.py +++ b/__init__.py @@ -30,6 +30,11 @@ def traverse(place, path, default=_marker, request=None): Raises NotFoundError if path cannot be found Raises TypeError if place is not context wrapped + + Note: calling traverse with a path argument taken from an untrusted + source, such as an HTTP request form variable, is a bad idea. + It could allow a maliciously constructed request to call + code unexpectedly. """ if not _isWrapper(place): raise TypeError, "Not enough context information to traverse" |