[Zope-Checkins] CVS: Zope/lib/python/ZPublisher - xmlrpc.py:1.15.2.2
Tres Seaver
tseaver at zope.com
Thu Jan 8 15:38:47 EST 2004
Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv1752/lib/python/ZPublisher
Modified Files:
Tag: Zope-2_6-branch
xmlrpc.py
Log Message:
- XML-RPC marshalling of class instances used the instance
__dict__ to marshal the object, and could include attributes
prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
=== Zope/lib/python/ZPublisher/xmlrpc.py 1.15.2.1 => 1.15.2.2 ===
--- Zope/lib/python/ZPublisher/xmlrpc.py:1.15.2.1 Wed Jul 23 14:14:42 2003
+++ Zope/lib/python/ZPublisher/xmlrpc.py Thu Jan 8 15:38:16 2004
@@ -100,6 +100,16 @@
# Convert Fault object to XML-RPC response.
body=xmlrpclib.dumps(body, methodresponse=1)
else:
+ if type(body) == types.InstanceType:
+ # Avoid disclosing private members. Private members are
+ # by convention named with a leading underscore char.
+ orig = body.__dict__
+ dict = {}
+ for key in orig.keys():
+ if key[:1] != '_':
+ dict[key] = orig[key]
+ body = dict
+
# Marshall our body as an XML-RPC response. Strings will be sent
# strings, integers as integers, etc. We do *not* convert
# everything to a string first.
More information about the Zope-Checkins
mailing list