[albatross-users] Easy to recreate the OpenID problem on object-craft site itself
Andrew McNamara
andrewm at object-craft.com.au
Fri Mar 16 11:47:24 EST 2007
>try http://www.object-craft.com.au/cgi-bin/alsamp/form4/form.py?funny.field=2
>and see the error you get.
>
>Maybe there's even a way to inject stuff into object this way. Have no
>time to check. Would rather write my app at the moment, but there are
>many kids out there ;)
This is how it's meant to work. I was hoping to point you at the section
of the manual that talks about this, but it doesn't seem to exist,
which is a bit unfortunate.
The code that implements this is in context.py, NamespaceMixin.set_value.
You will see there is a fairly complex state machine that emulates a
subset of python expression parsing (. and []).
--
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/
More information about the Albatross-users
mailing list