[Zope-Checkins] CVS: Zope/lib/python/App - Product.py:1.55.16.1 special_dtml.py:1.22.16.1
Martijn Pieters
mj@zope.com
Thu, 1 Aug 2002 12:01:28 -0400
Update of /cvs-repository/Zope/lib/python/App
In directory cvs.zope.org:/tmp/cvs-serv9310/lib/python/App
Modified Files:
Tag: Zope-2_5-branch
Product.py special_dtml.py
Log Message:
Big change, merge from trunk.
- Make DTML automatically html quote data indirectly taken from REQUEST
which contain a '<'. Make sure (almost) all string operation preserve the
taint on this data.
- Fix exceptions that use REQUEST data; quote the data.
- Don't let form and cookie values mask the REQUEST computed values such as
URL0 and BASE1.
=== Zope/lib/python/App/Product.py 1.55 => 1.55.16.1 ===
import re, zlib, Globals, cPickle, marshal, rotor
import ZClasses, ZClasses.ZClass, AccessControl.Owned
from urllib import quote
+from cgi import escape
from OFS.Folder import Folder
from string import atoi, find, strip, join
@@ -255,14 +256,14 @@
"Product Distributions"
def __bobo_traverse__(self, REQUEST, name):
- if name[-7:] != '.tar.gz': raise 'Invalid Name', name
+ if name[-7:] != '.tar.gz': raise 'Invalid Name', escape(name)
l=find(name,'-')
id, version = name[:l], name[l+1:-7]
product=self.aq_parent
if product.id==id and product.version==version:
return Distribution(product)
- raise 'Invalid version or product id', name
+ raise 'Invalid version or product id', escape(name)
Distributions=Distributions()
=== Zope/lib/python/App/special_dtml.py 1.22 => 1.22.16.1 ===
# We're first, so get the REQUEST.
try:
req = self.aq_acquire('REQUEST')
+ if hasattr(req, 'taintWrapper'):
+ req = req.taintWrapper()
except: pass
bound_data['REQUEST'] = req
ns.this = bound_data['context']