[Zope-Checkins] CVS: Zope/lib/python/App - Product.py:1.57 special_dtml.py:1.23

[Martijn Pieters]

Update of /cvs-repository/Zope/lib/python/App
In directory cvs.zope.org:/tmp/cvs-serv9325/lib/python/App

Modified Files:
	Product.py special_dtml.py 
Log Message:
Big change

- Make DTML automatically html quote data indirectly taken from REQUEST
  which contain a '<'. Make sure (almost) all string operation preserve the
  taint on this data.

- Fix exceptions that use REQUEST data; quote the data.

- Don't let form and cookie values mask the REQUEST computed values such as
  URL0 and BASE1.


=== Zope/lib/python/App/Product.py 1.56 => 1.57 ===
 import re, zlib, Globals, cPickle, marshal, rotor
 import ZClasses, ZClasses.ZClass, AccessControl.Owned
 from urllib import quote
+from cgi import escape
 
 from OFS.Folder import Folder
 from Factory import Factory
@@ -254,14 +255,14 @@
         "Product Distributions"
 
         def __bobo_traverse__(self, REQUEST, name):
-            if name[-7:] != '.tar.gz': raise 'Invalid Name', name
+            if name[-7:] != '.tar.gz': raise 'Invalid Name', escape(name)
             l=name.find('-')
             id, version = name[:l], name[l+1:-7]
             product=self.aq_parent
             if product.id==id and product.version==version:
                 return Distribution(product)
 
-            raise 'Invalid version or product id', name
+            raise 'Invalid version or product id', escape(name)
 
     Distributions=Distributions()
 


=== Zope/lib/python/App/special_dtml.py 1.22 => 1.23 ===
             # We're first, so get the REQUEST.
             try:
                 req = self.aq_acquire('REQUEST')
+                if hasattr(req, 'taintWrapper'):
+                    req = req.taintWrapper()
             except: pass
             bound_data['REQUEST'] = req
             ns.this = bound_data['context']