- prevent the creation of object IDs that look like views (#598)

zopefoundation · May 9, 2019 · fe0bc43 · fe0bc43
1 parent fdf9708
commit fe0bc43
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -14,6 +14,9 @@ https://github.com/zopefoundation/Zope/blob/4.0a6/CHANGES.rst
 Fixes
 +++++
 
+- Make sure new object IDs don't clash with the views lookup mechanism
+  (`#591 <https://github.com/zopefoundation/Zope/issues/591>`_)
+
 - Be more careful when guessing at encoding for document template types
 
 - Ensure a redirect path does not get URL-encoded twice

diff --git a/src/OFS/ObjectManager.py b/src/OFS/ObjectManager.py
@@ -125,6 +125,10 @@ def checkValidId(self, id, allow_dup=0):
         raise BadRequest(
             'The id "%s" is invalid because it '
             'ends with two underscores.' % id)
+    if id.startswith('@@') or id.startswith('++'):
+        raise BadRequest(
+            'The id "%s" is invalid because it starts with characters '
+            'reserved for Zope views lookup.' % id)
     if not allow_dup:
         obj = getattr(self, id, None)
         if obj is not None:

diff --git a/src/OFS/tests/testObjectManager.py b/src/OFS/tests/testObjectManager.py
@@ -396,6 +396,8 @@ def test_setObject_checkId_bad(self):
         self.assertRaises(BadRequest, om._setObject, 'foo>bar', si)
         self.assertRaises(BadRequest, om._setObject, 'foo<bar', si)
         self.assertRaises(BadRequest, om._setObject, 'foo/bar', si)
+        self.assertRaises(BadRequest, om._setObject, '@@ohno', si)
+        self.assertRaises(BadRequest, om._setObject, '++ohno', si)
 
     def test_getsetitem(self):
         om = self._makeOne()