[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ Backported r41704:41705 from 2.9 branch because it is a security fix.

Stefan H. Holek stefan at epy.co.at
Sun Feb 19 13:53:09 EST 2006 

Log message for revision 41707:
  Backported r41704:41705 from 2.9 branch because it is a security fix.
  
  Under Python 2.4 the ZPublisher would allow publication of 'set' and
  'frozenset' attributes.
  

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py
  U   Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2006-02-19 18:46:57 UTC (rev 41706)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2006-02-19 18:53:08 UTC (rev 41707)
@@ -28,7 +28,8 @@
     Bugs Fixed
 
       - ZPublisher.BaseRequest: The publisher would happily publish attributes
-        of type 'bool' and 'complex'.
+        of type 'bool' and 'complex', as well as Python 2.4's 'set' and
+        'frozenset'.
 
       - Collector #1991: ZPublisher did not deal properly with a trailing
         %20 in the URL

Modified: Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py	2006-02-19 18:46:57 UTC (rev 41706)
+++ Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py	2006-02-19 18:53:08 UTC (rev 41707)
@@ -566,6 +566,7 @@
 # Zope 3 by then :)
 
 import types
+import sys
 
 itypes = {}
 for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType',
@@ -576,6 +577,11 @@
     if hasattr(types, name):
         itypes[getattr(types, name)] = 0
 
+# Python 2.4 no longer maintains the types module.
+if sys.version_info >= (2, 4):
+    itypes[set] = 0
+    itypes[frozenset] = 0
+
 def typeCheck(obj, deny=itypes):
     # Return true if its ok to publish the type, false otherwise.
     return deny.get(type(obj), 1)

Modified: Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py	2006-02-19 18:46:57 UTC (rev 41706)
+++ Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py	2006-02-19 18:53:08 UTC (rev 41707)
@@ -239,7 +239,18 @@
         self.assertRaises(NotFound, r.traverse, 'folder/simpleBoolean')
         self.assertRaises(NotFound, r.traverse, 'folder/simpleComplex')
 
+    import sys
+    if sys.version_info >= (2, 4):
 
+        def test_traverse_set_type(self):
+            from ZPublisher import NotFound
+            self.f1.simpleSet = set([])
+            self.f1.simpleFrozenSet = frozenset([])
+            r = self.makeBaseRequest()
+            self.assertRaises(NotFound, r.traverse, 'folder/simpleSet')
+            self.assertRaises(NotFound, r.traverse, 'folder/simpleFrozenSet')
+
+
 def test_suite():
     return TestSuite( ( makeSuite(TestBaseRequest), ) )

More information about the Zope-Checkins mailing list