- Removed HTML tags from exception text of ``Unauthorized`` exception

because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed.

- Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed.
e5e038ec · Michael Howitz · 634fdeca · e5e038ec · e5e038ec · e5e038ec
Commit e5e038ec authored Jan 25, 2012 by Michael Howitz
4 changed files
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,7 +8,9 @@ http://docs.zope.org/zope2/releases/.
 2.13.13 (unreleased)
 --------------------

- TBD
+- Removed HTML tags from exception text of ``Unauthorized`` exception
+  because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
+  fixed.

 2.13.12 (2012-01-18)
 --------------------

--- a/src/ZPublisher/HTTPResponse.py
+++ b/src/ZPublisher/HTTPResponse.py
@@ -747,12 +747,12 @@ class HTTPResponse(BaseResponse):
            self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)

    def unauthorized(self):
-        m = "<strong>You are not authorized to access this resource.</strong>"
+        m = "You are not authorized to access this resource."
        if self.debug_mode:
            if self._auth:
-                m = m + '<p>\nUsername and password are not correct.</p>'
+                m = m + '\nUsername and password are not correct.'
            else:
-                m = m + '<p>\nNo Authorization header found.</p>'
+                m = m + '\nNo Authorization header found.'
        raise Unauthorized, m

    def _setBCIHeaders(self, t, tb):

--- a/src/ZPublisher/tests/exception_handling.txt
+++ b/src/ZPublisher/tests/exception_handling.txt
@@ -192,7 +192,7 @@ Handle zExceptions.Unauthorized raised by BaseRequest.traverse. We take the
    >>> browser.open('http://localhost/test_folder_1_/bar')
    Traceback (most recent call last):
    ...
-    Unauthorized: <strong>You are not authorized to access this resource...
+    Unauthorized: You are not authorized to access this resource...
    >>> browser.contents

 Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'

--- a/src/ZPublisher/tests/testHTTPResponse.py
+++ b/src/ZPublisher/tests/testHTTPResponse.py
@@ -902,8 +902,8 @@ class HTTPResponseTests(unittest.TestCase):
            response.unauthorized()
        except Unauthorized, raised:
            self.assertEqual(response.status, 200) # publisher sets 401 later
-            self.assertTrue("<strong>You are not authorized "
-                            "to access this resource.</strong>" in str(raised))
+            self.assertTrue("You are not authorized "
+                            "to access this resource." in str(raised))
        else:
            self.fail("Didn't raise Unauthorized")

@@ -914,7 +914,7 @@ class HTTPResponseTests(unittest.TestCase):
        try:
            response.unauthorized()
        except Unauthorized, raised:
-            self.assertTrue("<p>\nNo Authorization header found.</p>"
+            self.assertTrue("\nNo Authorization header found."
                            in str(raised))
        else:
            self.fail("Didn't raise Unauthorized")
@@ -927,7 +927,7 @@ class HTTPResponseTests(unittest.TestCase):
        try:
            response.unauthorized()
        except Unauthorized, raised:
-            self.assertTrue("<p>\nUsername and password are not correct.</p>"
+            self.assertTrue("\nUsername and password are not correct."
                            in str(raised))
        else:
            self.fail("Didn't raise Unauthorized")