[Zope] assignment to form records

Dylan Reinhardt zope@dylanreinhardt.com
Mon, 10 Mar 2003 00:31:34 -0800


At 10:34 PM 3/9/2003, Edward Muller wrote:
>All that things like :record and :records do (after reading various
>docs) is pass a variable names items with the following attributes
>.desc, .item, .qty. What you do with that variable is then up to you.

Indeed.

>I don't see how using this functionality is in any way a security hole.

By itself, it's probably not. But it facilitates insecure coding habits.

I already suspect that poor validation is rampant in Zope.  One of the 
classic questions that pops up here from time to time is how you're 
supposed to capture the "off" value of checkboxes when you only get 
information on the ones that are checked.  This question betrays a deep, 
dark secret lurking in many web apps: many developers have no idea what 
fields to expect nor what rules their data can be validated against.

Relying on the client to pass along special type & structure codes suggests 
a similarly high level of uncertainty as to what data is expected and what 
rules it should be validated against.  It's not the feature itself, but the 
avoidance of validation that gives me concern.

But every application has its own requirements and its own 
environment.  Each of us needs to determine what level of paranoia is 
justified by the specific requirements of each system.

Dylan