Commit 45af9271 authored by Stefan H. Holek's avatar Stefan H. Holek

Backported r41704:41705 from 2.9 branch because it is a security fix.

Under Python 2.4 the ZPublisher would allow publication of 'set' and
'frozenset' attributes.
parent 6d2ee1b0
...@@ -28,7 +28,8 @@ Zope Changes ...@@ -28,7 +28,8 @@ Zope Changes
Bugs Fixed Bugs Fixed
- ZPublisher.BaseRequest: The publisher would happily publish attributes - ZPublisher.BaseRequest: The publisher would happily publish attributes
of type 'bool' and 'complex'. of type 'bool' and 'complex', as well as Python 2.4's 'set' and
'frozenset'.
- Collector #1991: ZPublisher did not deal properly with a trailing - Collector #1991: ZPublisher did not deal properly with a trailing
%20 in the URL %20 in the URL
......
...@@ -566,6 +566,7 @@ def old_validation(groups, request, auth, ...@@ -566,6 +566,7 @@ def old_validation(groups, request, auth,
# Zope 3 by then :) # Zope 3 by then :)
import types import types
import sys
itypes = {} itypes = {}
for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType', for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType',
...@@ -576,6 +577,11 @@ for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType', ...@@ -576,6 +577,11 @@ for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType',
if hasattr(types, name): if hasattr(types, name):
itypes[getattr(types, name)] = 0 itypes[getattr(types, name)] = 0
# Python 2.4 no longer maintains the types module.
if sys.version_info >= (2, 4):
itypes[set] = 0
itypes[frozenset] = 0
def typeCheck(obj, deny=itypes): def typeCheck(obj, deny=itypes):
# Return true if its ok to publish the type, false otherwise. # Return true if its ok to publish the type, false otherwise.
return deny.get(type(obj), 1) return deny.get(type(obj), 1)
...@@ -239,6 +239,17 @@ class TestBaseRequest(TestCase): ...@@ -239,6 +239,17 @@ class TestBaseRequest(TestCase):
self.assertRaises(NotFound, r.traverse, 'folder/simpleBoolean') self.assertRaises(NotFound, r.traverse, 'folder/simpleBoolean')
self.assertRaises(NotFound, r.traverse, 'folder/simpleComplex') self.assertRaises(NotFound, r.traverse, 'folder/simpleComplex')
import sys
if sys.version_info >= (2, 4):
def test_traverse_set_type(self):
from ZPublisher import NotFound
self.f1.simpleSet = set([])
self.f1.simpleFrozenSet = frozenset([])
r = self.makeBaseRequest()
self.assertRaises(NotFound, r.traverse, 'folder/simpleSet')
self.assertRaises(NotFound, r.traverse, 'folder/simpleFrozenSet')
def test_suite(): def test_suite():
return TestSuite( ( makeSuite(TestBaseRequest), ) ) return TestSuite( ( makeSuite(TestBaseRequest), ) )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment