[Zope-Checkins] CVS: Zope/lib/python/ZPublisher - HTTPRequest.py:1.90.2.6

Tres Seaver tseaver at zope.com
Wed May 19 14:00:12 EDT 2004 

Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv24718/lib/python/ZPublisher

Modified Files:
      Tag: Zope-2_7-branch
	HTTPRequest.py 
Log Message:


  - Collector #777: 'HTTPRequest.__str__' was perfectly happy to display
    the values of password fields;  the issue notes their presence in the
    error log, but '<dtml-var REQEUEST>' or
    '<div tal:replace structure request>' had the same effect.


=== Zope/lib/python/ZPublisher/HTTPRequest.py 1.90.2.5 => 1.90.2.6 ===
--- Zope/lib/python/ZPublisher/HTTPRequest.py:1.90.2.5	Thu Dec 11 14:45:03 2003
+++ Zope/lib/python/ZPublisher/HTTPRequest.py	Wed May 19 14:00:11 2004
@@ -1263,16 +1263,16 @@
     def __str__(self):
         result="<h3>form</h3><table>"
         row='<tr valign="top" align="left"><th>%s</th><td>%s</td></tr>'
-        for k,v in self.form.items():
+        for k,v in _filterPasswordFields(self.form.items()):
             result=result + row % (escape(k), escape(repr(v)))
         result=result+"</table><h3>cookies</h3><table>"
-        for k,v in self.cookies.items():
+        for k,v in _filterPasswordFields(self.cookies.items()):
             result=result + row % (escape(k), escape(repr(v)))
         result=result+"</table><h3>lazy items</h3><table>"
-        for k,v in self._lazies.items():
+        for k,v in _filterPasswordFields(self._lazies.items()):
             result=result + row % (escape(k), escape(repr(v)))
         result=result+"</table><h3>other</h3><table>"
-        for k,v in self.other.items():
+        for k,v in _filterPasswordFields(self.other.items()):
             if k in ('PARENTS','RESPONSE'): continue
             result=result + row % (escape(k), escape(repr(v)))
 
@@ -1520,6 +1520,20 @@
 REC=RECORD|RECORDS
 EMPTY=16
 CONVERTED=32
+
+#   Collector #777:  filter out request fields which contain 'passw'
+def _filterPasswordFields(items):
+
+    result = []
+
+    for k, v in items:
+
+        if 'passw' in k.lower():
+            v = '<password obscured>'
+
+        result.append((k, v))
+
+    return result
 
 
 # The trusted_proxies configuration setting contains a sequence

More information about the Zope-Checkins mailing list