Collector #1914: Harden 'call_with_ns' against namespaces from other callers.

o Forward-port from 2.7 branch.

Collector #1914: Harden 'call_with_ns' against namespaces from other callers.
o Forward-port from 2.7 branch.
2207e04d · Tres Seaver · 18e43813 · 2207e04d · 2207e04d · 2207e04d
Commit 2207e04d authored Oct 11, 2005 by Tres Seaver
3 changed files
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -33,6 +33,10 @@ Zope Changes

    Bugs Fixed

+      - Collector #1914: Hardened 'call_with_ns' (in
+        'Products.PageTemplates.ZRPythonExpr') against namespaces from other
+        callers than page templates.
+
      - Collector #1490: Added a new zope.conf option to control the
        character set used to encode unicode data that reaches
        ZPublisher without any specified encoding.

--- a/lib/python/Products/PageTemplates/ZRPythonExpr.py
+++ b/lib/python/Products/PageTemplates/ZRPythonExpr.py
@@ -62,8 +62,11 @@ class Rtd(RestrictedDTML, TemplateDict):

 def call_with_ns(f, ns, arg=1):
    td = Rtd()
-    td.this = ns['here']
-    td._push(ns['request'])
+    # prefer 'context' to 'here';  fall back to 'None'
+    this = ns.get('context', ns.get('here'))
+    td.this = this
+    request = ns.get('request', {})
+    td._push(request)
    td._push(InstanceDict(td.this, td))
    td._push(ns)
    try:

--- a/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
+++ b/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
+""" Unit tests for Products.PageTemplates.ZRPythonExpr
+
+$Id
+"""
+import unittest
+
+class MiscTests(unittest.TestCase):
+
+    def test_call_with_ns_prefer_context_to_here(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        context = ['context']
+        here = ['here']
+        request = {'request': 1}
+        names = {'context' : context, 'here': here, 'request' : request}
+        result = call_with_ns(lambda td: td.this, names)
+        self.failUnless(result is context, result)
+
+    def test_call_with_ns_no_context_or_here(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        request = {'request': 1}
+        names = {'request' : request}
+        result = call_with_ns(lambda td: td.this, names)
+        self.failUnless(result is None, result)
+
+    def test_call_with_ns_no_request(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here}
+
+        def _find_request(td):
+            ns = td._pop()              # peel off 'ns'
+            instance_dict = td._pop()   # peel off InstanceDict
+            request = td._pop()
+            td._push(request)
+            td._push(instance_dict)
+            td._push(ns)
+            return request
+
+        result = call_with_ns(_find_request, names)
+        self.assertEqual(result, {})
+ 
+def test_suite():
+    return unittest.makeSuite(MiscTests)
+
+if __name__ == '__main__':
+    unittest.main(defaultTest='test_suite')
+