[Zope-Checkins] CVS: Zope/lib/python/ZPublisher - BaseRequest.py:1.50.2.1

Brian Lloyd brian@zope.com
Fri, 30 May 2003 11:22:01 -0400 

Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv21361

Modified Files:
      Tag: Zope-2_6-branch
	BaseRequest.py 
Log Message:
Fix for objects becoming publishable under Python 2.2.2 due to docstrings 
being added to built-in types.


=== Zope/lib/python/ZPublisher/BaseRequest.py 1.50 => 1.50.2.1 ===
--- Zope/lib/python/ZPublisher/BaseRequest.py:1.50	Thu Aug 29 15:35:00 2002
+++ Zope/lib/python/ZPublisher/BaseRequest.py	Fri May 30 11:22:00 2003
@@ -344,6 +344,17 @@
                         "published." % URL
                         )
 
+                # Hack for security: in Python 2.2.2, most built-in types
+                # gained docstrings that they didn't have before. That caused
+                # certain mutable types (dicts, lists) to become publishable
+                # when they shouldn't be. The following check makes sure that
+                # the right thing happens in both 2.2.2+ and earlier versions.
+                
+                if not typeCheck(subobject):
+                    return response.debugError(
+                        "The object at %s is not publishable." % URL
+                        )
+
                 r = getattr(subobject, '__roles__', UNSPECIFIED_ROLES)
                 if r is not UNSPECIFIED_ROLES:
                     roles = r
@@ -490,3 +501,27 @@
             """<strong>You are not authorized to access this resource""")
 
     return None
+
+
+
+# This mapping contains the built-in types that gained docstrings
+# between Python 2.1 and 2.2.2. By specifically checking for these
+# types during publishing, we ensure the same publishing rules in
+# both versions. The downside is that this needs to be extended as
+# new built-in types are added and future Python versions are
+# supported. That happens rarely enough that hopefully we'll be on
+# Zope 3 by then :)
+
+import types
+
+itypes = {}
+for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType',
+             'BufferType', 'TupleType', 'ListType', 'DictType', 'XRangeType',
+             'SliceType', 'EllipsisType', 'UnicodeType', 'CodeType',
+             'TracebackType', 'FrameType', 'DictProxyType'):
+    if hasattr(types, name):
+        itypes[getattr(types, name)] = 0
+
+def typeCheck(obj, deny=itypes):
+    # Return true if its ok to publish the type, false otherwise.
+    return deny.get(type(obj), 1)