Request objects should not be publishable
Bug #789863 reported by
Alan Hoey
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
High
|
Tres Seaver |
Bug Description
Request objects are currently publishable, there is a check to prevent objects with the id "REQUEST" from being published but this doesn't catch situations like browser views where the request commonly is lowercase (eg @@absolute_
information type: | Private Security → Public Security |
Changed in zope2: | |
milestone: | none → 2.13.23 |
status: | Confirmed → Fix Committed |
Changed in zope2: | |
status: | Fix Committed → Fix Released |
assignee: | nobody → Tres Seaver (tseaver) |
To post a comment you must log in.
Hhm, I wonder if we should maybe override the requests __str__ (or whatever is called to publish it) with a version that reports very little information and doesn't leak anything.
The request might commonly be referred to as request or REQUEST, but it could be reachable under any other variable name as well.
I'm not aware of any code that relies on str(request) to work, but this needs investigation.