Issue #729 resolved

RoutesDispatcher doesn't check for exposed

Anonymous created an issue

The current !RoutesDispatcher lacks an exposed attribute check (like the default dispatcher does).

Reported by andcycle@andcycle.idv.tw

Comments (8)

  1. Anonymous

    I have some issue with this ticket actually because we never implied that the Routes dispatcher would actually check for the exposed attribute and if we start doing it now we will break a lot of applications. The exposed attribute was more specific to the built-in dispatcher and I'm not sure it would bring anything using it with Routes.

    Unless there is a strong use case with this ticket I'd rather close it as invalid.

  2. Robert Brewer

    I tend to agree. The exposed attribute was introduced to eliminate security issues arising from unintended function exposure. The routes dispatcher has a well-defined mechanism for avoiding that: don't point to such functions. Perhaps a doc improvement si in order, though.

  3. Log in to comment