Skip to content

Z
Zope
Commit 10837a2e authored by 's avatar
Browse files
Options

Added denial for names that dont make sense

parent 2482f85a
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 3 deletions
lib/python/ZPublisher/BaseRequest.py
View file @ 10837a2e
...@@ -82,7 +82,7 @@ ...@@ -82,7 +82,7 @@
# attributions are listed in the accompanying credits file. # attributions are listed in the accompanying credits file.
# #
############################################################################## ##############################################################################
__version__='$Revision: 1.34 $'[11:-2] __version__='$Revision: 1.35 $'[11:-2]
from string import join, split, find, rfind, lower, upper from string import join, split, find, rfind, lower, upper
from urllib import quote from urllib import quote
...@@ -244,8 +244,9 @@ class BaseRequest: ...@@ -244,8 +244,9 @@ class BaseRequest:
if path[-1:]=='/': path=path[:-1] if path[-1:]=='/': path=path[:-1]
clean=[] clean=[]
for item in split(path, '/'): for item in split(path, '/'):
# Make sure that REQUEST cannot be traversed. # Make sure that certain things that dont make sense
if item == 'REQUEST': # cannot be traversed.
if item in ('REQUEST', 'aq_self', 'aq_base'):
return response.notFoundError(path) return response.notFoundError(path)
if not item or item=='.': if not item or item=='.':
continue continue
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7