durusmail: quixote-users: Call for help
Call for help
2007-01-21
2007-01-21
Re: Call for help
2007-01-30
2007-01-21
2007-01-30
2007-01-30
2007-01-30
2007-01-30
2007-02-01
2007-02-01
2007-02-01
2007-02-02
2007-02-02
2007-02-02
2007-02-02
2007-02-02
2007-02-03
Re: Call for help
2007-02-06
Re: Call for help
2007-02-05
2007-01-30
Call for help
David Binger
2007-02-01
quixote.__init__.py imports from publish.py, which imports from
util.py, which
imports from quixote.html.  This puts the ptl htmltext in the
quixote.util module.
When the methods of StaticDirectory call htmltext, they get the ptl
versions,
whether or not the quixote.html namespace has been subsequently modified
to have the qpy versions.

You could work around this particular problem by changing util.py's
import
to be just from quixote import html, and then adding "html." to the uses
of TemplateIO and htmltext in that module.  There may be other html
imports,
however, that happen before you hack the quixote.html namespace, and
you might not detect that until some unfortunate time later.

Unless quixote.html commits one way or the other at the time it is
loaded,
this vulnerability seems likely to persist.




reply