[Twisted-Python] Can't check elements without uri in twisted.words.xish.domish.Element
G'day, in the method "elements" of twisted.words.xish.domish.Element, the function "generateElementsQNamed" is called event if the uri if None, so the uri is checked against None instead of not checked at all. I think the function "generateElementsNamed" should be called instead, it looks like a bug for me. Can you confirm ? cheers Goffi
On 2013-09-04 16:43, Goffi wrote:
G'day,
in the method "elements" of twisted.words.xish.domish.Element, the function "generateElementsQNamed" is called event if the uri if None, so the uri is checked against None instead of not checked at all.
I think the function "generateElementsNamed" should be called instead, it looks like a bug for me. Can you confirm ?
The docstring says you have to either pass in both or not. I would say your suggestion is a feature request at best. If we would call generateElementsNamed when only the name parameter is set, you might get unrelated child elements in a different namespace than you are looking for. I can imagine cases where this becomes an attack vector. IMO, you should *always* pass in the fully qualified name here. The other permutation that is not currently supported, where you do pass in the URI but not the local name, seems more useful to me. -- ralphm
Ok thanks for the precisions. On 05/09/2013 13:24, Ralph Meijer wrote:
On 2013-09-04 16:43, Goffi wrote:
G'day,
in the method "elements" of twisted.words.xish.domish.Element, the function "generateElementsQNamed" is called event if the uri if None, so the uri is checked against None instead of not checked at all.
I think the function "generateElementsNamed" should be called instead, it looks like a bug for me. Can you confirm ?
The docstring says you have to either pass in both or not. I would say your suggestion is a feature request at best.
If we would call generateElementsNamed when only the name parameter is set, you might get unrelated child elements in a different namespace than you are looking for. I can imagine cases where this becomes an attack vector. IMO, you should *always* pass in the fully qualified name here.
The other permutation that is not currently supported, where you do pass in the URI but not the local name, seems more useful to me.
participants (2)
-
Goffi -
Ralph Meijer