Ticket #729 (enhancement)
Opened 10 months ago
Last modified 4 months ago
RoutesDispatcher doesn't check for exposed
Status: closed (fixed)
| Reported by: | andcycle@andcycle.idv.tw | Assigned to: | lawouach |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | CherryPy code | Keywords: | |
| Cc: |
The current RoutesDispatcher lacks an exposed attribute check (like the default dispatcher does).
Change History
09/16/07 04:56:48: Modified by guest
09/18/07 12:02:37: Modified by fumanchu
- description changed.
- summary changed from bugs in RoutesDispatcher? to RoutesDispatcher doesn't check for exposed.
Reduced and reformatted.
01/16/08 16:45:36: Modified by lawouach
- owner changed from rdelon to lawouach.
- status changed from new to assigned.
- milestone set to 3.1.
02/18/08 13:22:13: Modified by lawouach
I have some issue with this ticket actually because we never implied that the Routes dispatcher would actually check for the exposed attribute and if we start doing it now we will break a lot of applications. The exposed attribute was more specific to the built-in dispatcher and I'm not sure it would bring anything using it with Routes.
Unless there is a strong use case with this ticket I'd rather close it as invalid.
02/18/08 13:27:41: Modified by fumanchu
I tend to agree. The exposed attribute was introduced to eliminate security issues arising from unintended function exposure. The routes dispatcher has a well-defined mechanism for avoiding that: don't point to such functions. Perhaps a doc improvement si in order, though.
03/07/08 14:46:11: Modified by fumanchu
- status changed from assigned to closed.
- resolution set to fixed.
Fixed in PageHandlers.
2. REOP #719 #706