added documentation warning against naively traversing using form

values.
author: Steve Alexander <steve@z3u.com> 2002-06-18 21:49:28 +0000
committer: Steve Alexander <steve@z3u.com> 2002-06-18 21:49:28 +0000
commit: 3fba666f642b7335ae6f57eb1116ab92c7ffeab2 (patch)
tree: a699f6943bdeae2d4938e1d5c44499188cf84eca
parent: e27c5ec1065728cd6007e8c49ff0b681267773a1 (diff)
download: zope-traversing-3fba666f642b7335ae6f57eb1116ab92c7ffeab2.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/__init__.py b/__init__.py
index ff17ff4..cab237d 100644
--- a/__init__.py
+++ b/__init__.py
@@ -30,6 +30,11 @@ def traverse(place, path, default=_marker, request=None):
     
     Raises NotFoundError if path cannot be found
     Raises TypeError if place is not context wrapped
+    
+    Note: calling traverse with a path argument taken from an untrusted
+          source, such as an HTTP request form variable, is a bad idea.
+          It could allow a maliciously constructed request to call 
+          code unexpectedly.
     """
     if not _isWrapper(place):
         raise TypeError, "Not enough context information to traverse"
author	Steve Alexander <steve@z3u.com>	2002-06-18 21:49:28 +0000
committer	Steve Alexander <steve@z3u.com>	2002-06-18 21:49:28 +0000
commit	3fba666f642b7335ae6f57eb1116ab92c7ffeab2 (patch)
tree	a699f6943bdeae2d4938e1d5c44499188cf84eca
parent	e27c5ec1065728cd6007e8c49ff0b681267773a1 (diff)
download	zope-traversing-3fba666f642b7335ae6f57eb1116ab92c7ffeab2.tar.gz