[Zope-Checkins] CVS: Zope/lib/python/Shared/DC/ZRDB - Aqueduct.py:1.56.6.1 Connection.py:1.35.6.3 Search.py:1.20.6.1

Tres Seaver tseaver at zope.com
Thu Jan 8 16:13:43 EST 2004


Update of /cvs-repository/Zope/lib/python/Shared/DC/ZRDB
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/Shared/DC/ZRDB

Modified Files:
      Tag: Zope-2_6-branch
	Aqueduct.py Connection.py Search.py 
Log Message:


   - Browsers that do not escape html in query strings such as 
     Internet Explorer 5.5 could potentially send a script tag in a 
     query string to the ZSearch interface for cross-site scripting.
     See Collector #813 for other XSS-related rationale.


=== Zope/lib/python/Shared/DC/ZRDB/Aqueduct.py 1.56 => 1.56.6.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/Aqueduct.py:1.56	Wed Aug 14 17:50:59 2002
+++ Zope/lib/python/Shared/DC/ZRDB/Aqueduct.py	Thu Jan  8 16:13:12 2004
@@ -157,7 +157,7 @@
                 '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\n'
                 '<html lang="en"><head><title>%s Input Data</title></head>\n'
                 '<body bgcolor="#FFFFFF" link="#000099" vlink="#555555">\n%s\n'
-                '<form action="<dtml-var URL2>/<dtml-var id>/%s" '
+                '<form action="&dtml-URL2;/&dtml-id;/%s" '
                 'method="get">\n'
                 '<h2>%s Input Data</h2>\n'
                 'Enter query parameters:<br>'
@@ -186,7 +186,7 @@
                 '<dtml-if HTTP_REFERER>\n'
                 '  <input type="SUBMIT" name="SUBMIT" value="Cancel">\n'
                 '  <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"\n'
-                '         VALUE="<dtml-var HTTP_REFERER>">\n'
+                '         VALUE="&dtml-HTTP_REFERER;">\n'
                 '</dtml-if>\n'
                 '</td></tr>\n</table>\n</form>\n</body>\n</html>\n'
                 )
@@ -196,7 +196,7 @@
             '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\n'
             '<html lang="en"><head><title>%s Input Data</title></head>\n'
             '<body bgcolor="#FFFFFF" link="#000099" vlink="#555555">\n%s\n'
-            '<form action="<dtml-var URL2>/<dtml-var id>/%s" '
+            '<form action="&dtml-URL2;/&dtml-id;/%s" '
             'method="get">\n'
             '<h2>%s Input Data</h2>\n'
             'This query requires no input.<p>\n'
@@ -204,7 +204,7 @@
             '<dtml-if HTTP_REFERER>\n'
             '  <input type="SUBMIT" name="SUBMIT" value="Cancel">\n'
             '  <INPUT NAME="CANCEL_ACTION" TYPE="HIDDEN"\n'
-            '         VALUE="<dtml-var HTTP_REFERER>">\n'
+            '         VALUE="&dtml-HTTP_REFERER;">\n'
             '</dtml-if>\n'
             '</td></tr>\n</table>\n</form>\n</body>\n</html>\n'
             % (id, tabs, action, id)


=== Zope/lib/python/Shared/DC/ZRDB/Connection.py 1.35.6.2 => 1.35.6.3 ===
--- Zope/lib/python/Shared/DC/ZRDB/Connection.py:1.35.6.2	Wed Oct 22 16:31:06 2003
+++ Zope/lib/python/Shared/DC/ZRDB/Connection.py	Thu Jan  8 16:13:12 2004
@@ -25,6 +25,7 @@
 from Results import Results
 from sys import exc_info
 from zLOG import LOG, ERROR
+from cgi import escape
 import DocumentTemplate, RDB
 
 class Connection(
@@ -102,7 +103,7 @@
         if REQUEST is not None:
             return MessageDialog(
                 title='Edited',
-                message='<strong>%s</strong> has been edited.' % self.id,
+                message='<strong>%s</strong> has been edited.' % escape(self.id),
                 action ='./manage_main',
                 )
 


=== Zope/lib/python/Shared/DC/ZRDB/Search.py 1.20 => 1.20.6.1 ===
--- Zope/lib/python/Shared/DC/ZRDB/Search.py:1.20	Wed Aug 14 17:50:59 2002
+++ Zope/lib/python/Shared/DC/ZRDB/Search.py	Thu Jan  8 16:13:12 2004
@@ -18,6 +18,7 @@
 from Globals import DTMLFile
 from Aqueduct import custom_default_report, custom_default_zpt_report, nicify, Args
 from string import join
+from cgi import escape
 from AccessControl import getSecurityManager
 
 addForm=DTMLFile('dtml/searchAdd', globals())
@@ -57,7 +58,7 @@
                 cannot be generated.  Before creating a report
                 from this query, you must try out the query.  To
                 try out the query, <a href="%s">click here</a>.
-                """ % (q.title_and_id(), url))
+                """ % (escape(q.title_and_id()), escape(url, 1)))
 
     if object_type == 'dtml_methods':
 




More information about the Zope-Checkins mailing list