-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Aspeli wrote:
On 13/12/09 16:49, Martin Aspeli wrote:
On 13/12/09 10:52, Tres Seaver wrote:
Doesn't smell like a regression to me: the code there hasn't changed in a good long while. Can you write a test case for it, so that we can test against earlier versions? Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html
This is the same problem.
You said:
"This is becuase 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts 'python:' expressions; path traversal is still governed by 'boboAwareZopeTraverse', which uses 'restrictedTraverse'."
and then:
"As it turns out, it is only "partially trusted." The attached patch should make them "really trusted", at least for path expressions; does it help? I haven't added any tests, although my 2.10 branch checkout does pass all tests with this change"
The attachment is here:
http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachm...
I'm going to poke around a Zope 2.12 checkout for a bit to see what sense I can make of this.
Okay, so it turns out your patch has gotten lost from Zope 2.10 to Zope 2.12.
This is the revision where it went in:
http://zope3.pov.lt/trac/changeset/77064/Zope/branches/2.10/lib/python/Produ...
I think that by accident this got committed with an unrelated change, since the commit message says "Use Five 1.5.5" and there's a change in svn:externals. Perhaps that's why this wasn't merged to trunk. The latest merge I can see is at r71802.
This also makes me worry about http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/Page... and http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/Page..., which may not have been merged, but I'm too far down the rabbit hole now to see clearly.
Anyway, I re-applied your patch to the Zope 2.12 branch. This broke one test, in Products.Five:
self.assertEqual(engine.types['standard'], ZopePathExpr)
I'd argue that this test is testing for precisely the wrong thing, so I updated this assertion and the ones to follow to check for:
self.assertEqual(engine.types['standard'], TrustedZopePathExpr)
This fixes the original issue I was seeing. All Zope 2.12 and Plone 4 tests pass with this as well.
I also think the fixed test in Five is now correct and sufficient, since it checks that we get the trusted engine for ViewPageTemplateFile's. Maybe we should have a functional test too, but I'm not sure how to set that up.
I've committed this in r106436 and merged to trunk in r106437.
OK, sounds fine to me. Can you merge to the 2.11 branch as well? I think Andreas will be releasing 2.9.x through 2.12.x fairly soon.
If anyone objects, please let me know and I'll back it out. Otherwise, I'm hopeful for a 2.12.2 soon, as this breaks a few things in Plone. :-/
Heh, and after you have been just posting about using SVN develop eggs on your blog. ;) Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksmshYACgkQ+gerLs4ltQ4BNwCfctztlQ5F2uVVSPawCQ/sli2X hpYAoNSveWbE+NUx6G6BYxSEDsFjaa2v =wwi6 -----END PGP SIGNATURE-----