Commit e9b5dde3 authored by Florent Guillaume's avatar Florent Guillaume

The '@' character is now allowed in object ids (RFC 1738 allows it).

Expanded tests for _checkId.
parent 17065825
...@@ -29,6 +29,8 @@ Zope Changes ...@@ -29,6 +29,8 @@ Zope Changes
- Collector #1118: Added syntax to dtml-sqlgroup to support flexible - Collector #1118: Added syntax to dtml-sqlgroup to support flexible
generation of 'UPDATE' statements (bounty sponsored by Logicalware). generation of 'UPDATE' statements (bounty sponsored by Logicalware).
- The '@' character is now allowed in object ids (RFC 1738 allows it).
Bugs Fixed Bugs Fixed
- Collector #1863: Prevent possibly sensitive information to leak via - Collector #1863: Prevent possibly sensitive information to leak via
......
...@@ -49,7 +49,7 @@ customImporters={ ...@@ -49,7 +49,7 @@ customImporters={
XMLExportImport.magic: XMLExportImport.importXML, XMLExportImport.magic: XMLExportImport.importXML,
} }
bad_id=re.compile(r'[^a-zA-Z0-9-_~,.$\(\)# ]').search #TS bad_id=re.compile(r'[^a-zA-Z0-9-_~,.$\(\)# @]').search
def checkValidId(self, id, allow_dup=0): def checkValidId(self, id, allow_dup=0):
# If allow_dup is false, an error will be raised if an object # If allow_dup is false, an error will be raised if an object
......
...@@ -303,6 +303,41 @@ class ObjectManagerTests( unittest.TestCase ): ...@@ -303,6 +303,41 @@ class ObjectManagerTests( unittest.TestCase ):
om2._setObject(ob.getId(), ob) om2._setObject(ob.getId(), ob)
self.assertRaises(DeleteFailed, om1._delObject, 'om2') self.assertRaises(DeleteFailed, om1._delObject, 'om2')
def test_setObject_checkId_ok(self):
om = self._makeOne()
si = SimpleItem('1')
om._setObject('AB-dash_under0123', si)
si = SimpleItem('2')
om._setObject('ho.bak~', si)
si = SimpleItem('3')
om._setObject('dot.comma,dollar$(hi)hash# space', si)
si = SimpleItem('4')
om._setObject('b@r', si)
si = SimpleItem('5')
om._setObject('..haha', si)
si = SimpleItem('6')
om._setObject('.bashrc', si)
def test_setObject_checkId_bad(self):
from zExceptions import BadRequest
om = self._makeOne()
si = SimpleItem('111')
om._setObject('111', si)
si = SimpleItem('2')
self.assertRaises(BadRequest, om._setObject, 123, si)
self.assertRaises(BadRequest, om._setObject, 'a\x01b', si)
self.assertRaises(BadRequest, om._setObject, 'a\\b', si)
self.assertRaises(BadRequest, om._setObject, 'a:b', si)
self.assertRaises(BadRequest, om._setObject, 'a;b', si)
self.assertRaises(BadRequest, om._setObject, '.', si)
self.assertRaises(BadRequest, om._setObject, '..', si)
self.assertRaises(BadRequest, om._setObject, '_foo', si)
self.assertRaises(BadRequest, om._setObject, 'aq_me', si)
self.assertRaises(BadRequest, om._setObject, 'bah__', si)
self.assertRaises(BadRequest, om._setObject, '111', si)
self.assertRaises(BadRequest, om._setObject, 'REQUEST', si)
self.assertRaises(BadRequest, om._setObject, '/', si)
def test_suite(): def test_suite():
suite = unittest.TestSuite() suite = unittest.TestSuite()
suite.addTest( unittest.makeSuite( ObjectManagerTests ) ) suite.addTest( unittest.makeSuite( ObjectManagerTests ) )
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment