Commit aa498e12 authored by Tres Seaver's avatar Tres Seaver

Prevent sandbox escape via 'BaseRequest.traverseName'.

Fixes LP #1095343.
parent 35cd7149
......@@ -8,6 +8,8 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased)
--------------------
- LP #1095343: prevent sandbox escape via ``BaseRequest.traverseName``.
- LP #1094144: prevent arbitrary redirections via faked "CANCEL" buttons.
- LP #1094221: add permissions to some unprotected methods of
......
......@@ -346,6 +346,7 @@ class BaseRequest:
ob2 = adapter.publishTraverse(self, name)
return ob2
traverseName__roles__ = ()
def traverse(self, path, response=None, validated_hook=None):
"""Traverse the object space
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment