[Zope-Checkins] SVN: Zope/trunk/ - Collector #1863: Prevent possibly sensitive information to leak via

Jens Vagelpohl jens at dataflake.org
Sat Oct 1 09:21:35 EDT 2005 

Log message for revision 38710:
  - Collector #1863: Prevent possibly sensitive information to leak via
    the TransientObject's __repr__ method.
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/Products/Transience/TransientObject.py
  U   Zope/trunk/lib/python/Products/Transience/tests/testTransientObject.py

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt	2005-10-01 13:20:29 UTC (rev 38709)
+++ Zope/trunk/doc/CHANGES.txt	2005-10-01 13:21:35 UTC (rev 38710)
@@ -42,6 +42,9 @@
 
     Bugs Fixed
 
+      - Collector #1863: Prevent possibly sensitive information to leak via
+        the TransientObject's __repr__ method.
+
       - Repaired 'handle_errors' usage for doctests, along with the
         supporting 'debug' argument passed to
         'ZPublisher.Test.publish_module'.

Modified: Zope/trunk/lib/python/Products/Transience/TransientObject.py
===================================================================
--- Zope/trunk/lib/python/Products/Transience/TransientObject.py	2005-10-01 13:20:29 UTC (rev 38709)
+++ Zope/trunk/lib/python/Products/Transience/TransientObject.py	2005-10-01 13:21:35 UTC (rev 38710)
@@ -256,8 +256,8 @@
         return "%s%s" % (t, d)
 
     def __repr__(self):
-        return "id: %s, token: %s, contents: %s" % (
-            self.id, self.token, `self.items()`
+        return "id: %s, token: %s, content keys: %s" % (
+            self.id, self.token, `self.keys()`
             )
 
 def lastmodified_sort(d1, d2):

Modified: Zope/trunk/lib/python/Products/Transience/tests/testTransientObject.py
===================================================================
--- Zope/trunk/lib/python/Products/Transience/tests/testTransientObject.py	2005-10-01 13:20:29 UTC (rev 38709)
+++ Zope/trunk/lib/python/Products/Transience/tests/testTransientObject.py	2005-10-01 13:21:35 UTC (rev 38710)
@@ -115,7 +115,16 @@
         t.delete('foobie')
         self.assertEqual(t.get('foobie'), None)
 
+    def test_repr_leaking_information(self):
+        # __repr__ used to show all contents, which could lead to sensitive
+        # information being visible in e.g. the ErrorLog object.
+        t = self.t.new('password-storing-session')
+        t.set('__ac_password__', 'secret')
+        self.failIf( repr(t).find('secret') != -1
+                   , '__repr__ leaks: %s' % repr(t)
+                   )
 
+
 def test_suite():
     testsuite = makeSuite(TestTransientObject, 'test')
     alltests = TestSuite((testsuite,))

More information about the Zope-Checkins mailing list