[Zope-Checkins] CVS: Zope/lib/python/Products/StandardCacheManagers
- AcceleratedHTTPCacheManager.py:1.11.6.1
RAMCacheManager.py:1.10.6.1
Tres Seaver
tseaver at zope.com
Thu Jan 8 16:13:41 EST 2004
Update of /cvs-repository/Zope/lib/python/Products/StandardCacheManagers
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Products/StandardCacheManagers
Modified Files:
Tag: Zope-2_6-branch
AcceleratedHTTPCacheManager.py RAMCacheManager.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py 1.11 => 1.11.6.1 ===
--- Zope/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py:1.11 Wed Aug 14 18:25:12 2002
+++ Zope/lib/python/Products/StandardCacheManagers/AcceleratedHTTPCacheManager.py Thu Jan 8 16:13:09 2004
@@ -24,6 +24,7 @@
import Globals
from Globals import DTMLFile
import urlparse, httplib
+from cgi import escape
from urllib import quote
from App.Common import rfc1123_date
@@ -213,7 +214,7 @@
if sort_by == id:
newsr = not sort_reverse
url = url + '&sort_reverse=' + (newsr and '1' or '0')
- return '<a href="%s">%s</a>' % (url, name)
+ return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))
Globals.default__class_init__(AcceleratedHTTPCacheManager)
=== Zope/lib/python/Products/StandardCacheManagers/RAMCacheManager.py 1.10 => 1.10.6.1 ===
--- Zope/lib/python/Products/StandardCacheManagers/RAMCacheManager.py:1.10 Wed Aug 14 18:25:12 2002
+++ Zope/lib/python/Products/StandardCacheManagers/RAMCacheManager.py Thu Jan 8 16:13:09 2004
@@ -21,6 +21,7 @@
from OFS.Cache import Cache, CacheManager
from OFS.SimpleItem import SimpleItem
from thread import allocate_lock
+from cgi import escape
import time
import Globals
from Globals import DTMLFile
@@ -433,7 +434,7 @@
if sort_by == id:
newsr = not sort_reverse
url = url + '&sort_reverse=' + (newsr and '1' or '0')
- return '<a href="%s">%s</a>' % (url, name)
+ return '<a href="%s">%s</a>' % (escape(url, 1), escape(name))
Globals.default__class_init__(RAMCacheManager)
More information about the Zope-Checkins
mailing list