[Twisted-Python] Can't check elements without uri in twisted.words.xish.domish.Element

Goffi goffi at goffi.org
Fri Sep 6 14:42:14 MDT 2013


Ok thanks for the precisions.

On 05/09/2013 13:24, Ralph Meijer wrote:
> On 2013-09-04 16:43, Goffi wrote:
>> G'day,
>>
>> in the method "elements" of twisted.words.xish.domish.Element, the
>> function "generateElementsQNamed" is called event if the uri if None, so
>> the uri is checked against None instead of not checked at all.
>>
>> I think the function "generateElementsNamed" should be called instead,
>> it looks like a bug for me.
>> Can you confirm ?
>
> The docstring says you have to either pass in both or not. I would say
> your suggestion is a feature request at best.
>
> If we would call generateElementsNamed when only the name parameter is
> set, you might get unrelated child elements in a different namespace
> than you are looking for. I can imagine cases where this becomes an
> attack vector. IMO, you should *always* pass in the fully qualified name
> here.
>
> The other permutation that is not currently supported, where you do pass
> in the URI but not the local name, seems more useful to me.
>





More information about the Twisted-Python mailing list