[Zope-Checkins] CVS: Zope/lib/python/ZPublisher -
HTTPResponse.py:1.79 xmlrpc.py:1.17
Tres Seaver
tseaver at zope.com
Thu Jan 15 18:02:08 EST 2004
Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv23317/ZPublisher
Modified Files:
HTTPResponse.py xmlrpc.py
Log Message:
- HTTPResponse.py: CGI escapes (merged from 2.6 / 2.7 audit).
- xmlrpc.py: Exclude "private" attributes when marshalling an instance
as an XML-RPC dict (merged from 2.6 / 2.7 audit).
=== Zope/lib/python/ZPublisher/HTTPResponse.py 1.78 => 1.79 ===
--- Zope/lib/python/ZPublisher/HTTPResponse.py:1.78 Fri Dec 26 18:48:18 2003
+++ Zope/lib/python/ZPublisher/HTTPResponse.py Thu Jan 15 18:02:08 2004
@@ -461,7 +461,8 @@
ibase = base_re_search(body)
if ibase is None:
self.body = ('%s\n<base href="%s" />\n%s' %
- (body[:index], self.base, body[index:]))
+ (body[:index], self.quoteHTML(self.base),
+ body[index:]))
self.setHeader('content-length', len(self.body))
def appendCookie(self, name, value):
=== Zope/lib/python/ZPublisher/xmlrpc.py 1.16 => 1.17 ===
--- Zope/lib/python/ZPublisher/xmlrpc.py:1.16 Wed Jul 23 14:12:26 2003
+++ Zope/lib/python/ZPublisher/xmlrpc.py Thu Jan 15 18:02:08 2004
@@ -100,6 +100,16 @@
# Convert Fault object to XML-RPC response.
body=xmlrpclib.dumps(body, methodresponse=1)
else:
+ if type(body) == InstanceType:
+ # Avoid disclosing private members. Private members are
+ # by convention named with a leading underscore char.
+ orig = body.__dict__
+ dict = {}
+ for key in orig.keys():
+ if key[:1] != '_':
+ dict[key] = orig[key]
+ body = dict
+
# Marshall our body as an XML-RPC response. Strings will be sent
# strings, integers as integers, etc. We do *not* convert
# everything to a string first.
More information about the Zope-Checkins
mailing list