[Zope-Checkins] CVS: Zope/lib/python/Products/StandardCacheManagers - AcceleratedHTTPCacheManager.py:1.11.6.1 RAMCacheManager.py:1.10.6.1

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:41 EST 2004


Update of /cvs-repository/Zope/lib/python/Products/StandardCacheManagers
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Products/StandardCacheManagers

Modified Files:
      Tag: Zope-2_6-branch
	AcceleratedHTTPCacheManager.py RAMCacheManager.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py 1.11 => 1.11.6.1 ===
--- Zope/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py:1.11	Wed Aug 14 18:25:12 2002
+++ Zope/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py	Thu Jan  8 16:13:09 2004
@@ -24,6 +24,7 @@
 import Globals
 from Globals import DTMLFile
 import urlparse, httplib
+from cgi import escape
 from urllib import quote
 from App.Common import rfc1123_date
 
@@ -213,7 +214,7 @@
         if sort_by == id:
             newsr = not sort_reverse
         url = url + '&sort_reverse=' + (newsr and '1' or '0')
-        return '<a href="%s">%s</a>' % (url, name)
+        return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))
 
 
 Globals.default__class_init__(AcceleratedHTTPCacheManager)


=== Zope/lib/python/Products/StandardCacheManagers/RAMCacheManager.py 1.10 => 1.10.6.1 ===
--- Zope/lib/python/Products/StandardCacheManagers/RAMCacheManager.py:1.10	Wed Aug 14 18:25:12 2002
+++ Zope/lib/python/Products/StandardCacheManagers/RAMCacheManager.py	Thu Jan  8 16:13:09 2004
@@ -21,6 +21,7 @@
 from OFS.Cache import Cache, CacheManager
 from OFS.SimpleItem import SimpleItem
 from thread import allocate_lock
+from cgi import escape
 import time
 import Globals
 from Globals import DTMLFile
@@ -433,7 +434,7 @@
         if sort_by == id:
             newsr = not sort_reverse
         url = url + '&sort_reverse=' + (newsr and '1' or '0')
-        return '<a href="%s">%s</a>' % (url, name)
+        return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))
 
 Globals.default__class_init__(RAMCacheManager)
 




More information about the Zope-Checkins mailing list