[Zope-Checkins] SVN: Zope/branches/tseaver-retire_zpkg-2.10/ Synch
with 2.10 branch.
Tres Seaver
tseaver at palladion.com
Wed Jul 5 23:02:10 EDT 2006
Log message for revision 68993:
Synch with 2.10 branch.
Changed:
U Zope/branches/tseaver-retire_zpkg-2.10/doc/CHANGES.txt
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Image.py
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Traversable.py
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testFileAndImage.py
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testTraverse.py
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Products/ZReST/ZReST.py
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Zope2/Startup/zopectl.py
U Zope/branches/tseaver-retire_zpkg-2.10/lib/python/reStructuredText/__init__.py
-=-
Modified: Zope/branches/tseaver-retire_zpkg-2.10/doc/CHANGES.txt
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/doc/CHANGES.txt 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/doc/CHANGES.txt 2006-07-06 03:02:09 UTC (rev 68993)
@@ -18,6 +18,14 @@
Bugs Fixed
+ - reStructuredText/ZReST: setting raw_enabled to 0 for security
+ reasons
+
+ - Collector #2113: 'zopectl test' masked Ctrl-C.
+
+ - OFS Image: Image and File updated to use isinstance(data, str)
+ and raises TypeError upon encountering unicode objects.
+
- OFS Application: Updated deprecation warnings.
Support for '__ac_permissions__' and 'meta_types' will be removed in
Zope 2.11, 'methods' support might remain longer.
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Image.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Image.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Image.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -43,7 +43,6 @@
from cgi import escape
import transaction
-StringType=type('')
manage_addFileForm=DTMLFile('dtml/imageAdd', globals(),Kind='File',kind='file')
def manage_addFile(self,id,file='',title='',precondition='', content_type='',
REQUEST=None):
@@ -231,7 +230,7 @@
RESPONSE.setStatus(206) # Partial content
data = self.data
- if type(data) is StringType:
+ if isinstance(data, str):
RESPONSE.write(data[start:end])
return True
@@ -302,7 +301,7 @@
'Content-Range: bytes %d-%d/%d\r\n\r\n' % (
start, end - 1, self.size))
- if type(data) is StringType:
+ if isinstance(data, str):
RESPONSE.write(data[start:end])
else:
@@ -401,7 +400,7 @@
self.ZCacheable_set(None)
data=self.data
- if type(data) is type(''):
+ if isinstance(data, str):
RESPONSE.setBase(None)
return data
@@ -428,6 +427,10 @@
security.declarePrivate('update_data')
def update_data(self, data, content_type=None, size=None):
+ if isinstance(data, unicode):
+ raise TypeError('Data can only be str or file-like. '
+ 'Unicode objects are expressly forbidden.')
+
if content_type is not None: self.content_type=content_type
if size is None: size=len(data)
self.size=size
@@ -481,7 +484,7 @@
if headers and headers.has_key('content-type'):
content_type=headers['content-type']
else:
- if type(body) is not type(''): body=body.data
+ if not isinstance(body, str): body=body.data
content_type, enc=guess_content_type(
getattr(file, 'filename',id), body, content_type)
return content_type
@@ -490,7 +493,7 @@
n=1 << 16
- if type(file) is StringType:
+ if isinstance(file, str):
size=len(file)
if size < n: return file, size
# Big string: cut it into smaller chunks
@@ -617,7 +620,7 @@
return result
data = self.data
- if type(data) is type(''):
+ if isinstance(data, str):
RESPONSE.setBase(None)
return data
@@ -777,6 +780,10 @@
security.declarePrivate('update_data')
def update_data(self, data, content_type=None, size=None):
+ if isinstance(data, unicode):
+ raise TypeError('Data can only be str or file-like. '
+ 'Unicode objects are expressly forbidden.')
+
if size is None: size=len(data)
self.size=size
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Traversable.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Traversable.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/Traversable.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -237,11 +237,11 @@
if not validated:
raise Unauthorized, name
else:
- if hasattr(aq_base(obj), name):
+ if getattr(aq_base(obj), name, marker) is not marker:
if restricted:
- next = guarded_getattr(obj, name, marker)
+ next = guarded_getattr(obj, name)
else:
- next = _getattr(obj, name, marker)
+ next = _getattr(obj, name)
else:
try:
next=obj[name]
@@ -249,6 +249,9 @@
# Raise NotFound for easier debugging
# instead of AttributeError: __getitem__
raise NotFound, name
+ if restricted and not securityManager.validate(
+ obj, obj, _none, next):
+ raise Unauthorized, name
except (AttributeError, NotFound, KeyError), e:
# Try to look for a view
@@ -270,13 +273,10 @@
next = _getattr(obj, name, marker)
except AttributeError:
raise e
- if next is marker:
- # Nothing found re-raise error
- raise e
-
- if restricted and not securityManager.validate(
- obj, obj, _none, next):
- raise Unauthorized, name
+ if next is marker:
+ # Nothing found re-raise error
+ raise e
+
obj = next
return obj
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testFileAndImage.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testFileAndImage.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testFileAndImage.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -252,7 +252,12 @@
verifyClass(HTTPRangeInterface, File)
verifyClass(WriteLockInterface, File)
-
+ def testUnicode(self):
+ val = u'some unicode string here'
+
+ self.assertRaises(TypeError, self.file.manage_edit,
+ 'foobar', 'text/plain', filedata=val)
+
class ImageTests(FileTests):
data = open(filedata, 'rb').read()
content_type = 'image/gif'
@@ -285,7 +290,6 @@
verifyClass(WriteLockInterface, Image)
-
def test_suite():
return unittest.TestSuite((
unittest.makeSuite(FileTests),
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testTraverse.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testTraverse.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/OFS/tests/testTraverse.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -68,6 +68,24 @@
return 0
+class ProtectedMethodSecurityPolicy:
+ """Check security strictly on bound methods.
+ """
+ def validate(self, accessed, container, name, value, *args):
+ if getattr(aq_base(value), 'im_self', None) is None:
+ return 1
+
+ # Bound method
+ if name is None:
+ raise Unauthorized
+ klass = value.im_self.__class__
+ roles = getattr(klass, name+'__roles__', object())
+ if roles is None: # ACCESS_PUBLIC
+ return 1
+
+ raise Unauthorized(name)
+
+
class UnitTestUser( Acquisition.Implicit ):
"""
Stubbed out manager for unit testing purposes.
@@ -103,6 +121,22 @@
bb_status = 'screechy'
+class Restricted(SimpleItem):
+ """Instance we'll check with ProtectedMethodSecurityPolicy
+ """
+ getId__roles__ = None # ACCESS_PUBLIC
+ def getId(self):
+ return self.id
+
+ private__roles__ = () # ACCESS_PRIVATE
+ def private(self):
+ return 'private!'
+
+ # not protected
+ def ohno(self):
+ return 'ohno!'
+
+
class BoboTraversableWithAcquisition(SimpleItem):
"""
A BoboTraversable class which may use acquisition to find objects.
@@ -210,6 +244,17 @@
self.failUnlessRaises(
KeyError, self.folder1.unrestrictedTraverse, '/folder1/file2/' )
+ def testTraverseMethodRestricted(self):
+ self.root.my = Restricted('my')
+ my = self.root.my
+ my.id = 'my'
+ noSecurityManager()
+ SecurityManager.setSecurityPolicy(ProtectedMethodSecurityPolicy())
+ r = my.restrictedTraverse('getId')
+ self.assertEquals(r(), 'my')
+ self.assertRaises(Unauthorized, my.restrictedTraverse, 'private')
+ self.assertRaises(Unauthorized, my.restrictedTraverse, 'ohno')
+
def testBoboTraverseToWrappedSubObj(self):
# Verify it's possible to use __bobo_traverse__ with the
# Zope security policy.
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Products/ZReST/ZReST.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Products/ZReST/ZReST.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Products/ZReST/ZReST.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -204,6 +204,7 @@
'stylesheet_path' : None,
'pub.settings.warning_stream' : Warnings(),
'file_insertion_enabled' : 0,
+ 'raw_enabled' : 0,
}
self._v_formatted = docutils.core.publish_string(
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Zope2/Startup/zopectl.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Zope2/Startup/zopectl.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/Zope2/Startup/zopectl.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -258,14 +258,20 @@
pid = os.fork()
if pid == 0: # child
os.execv(self.options.python, args)
- else:
- os.waitpid(pid, 0)
+
+ # Parent process running (execv replaces process in child
+ while True:
+ try:
+ os.waitpid(pid, 0)
+ except (OSError, KeyboardInterrupt):
+ continue
+ else:
+ break
def help_test(self):
print "test [args]+ -- run unit / functional tests."
print " See $ZOPE_HOME/bin/test.py --help for syntax."
-
def main(args=None):
# This is exactly like zdctl.main(), but uses ZopeCtlOptions and
# ZopeCmd instead of ZDCtlOptions and ZDCmd, so the default values
Modified: Zope/branches/tseaver-retire_zpkg-2.10/lib/python/reStructuredText/__init__.py
===================================================================
--- Zope/branches/tseaver-retire_zpkg-2.10/lib/python/reStructuredText/__init__.py 2006-07-06 02:31:30 UTC (rev 68992)
+++ Zope/branches/tseaver-retire_zpkg-2.10/lib/python/reStructuredText/__init__.py 2006-07-06 03:02:09 UTC (rev 68993)
@@ -73,6 +73,7 @@
settings['stylesheet'] = stylesheet
settings['stylesheet_path'] = None
settings['file_insertion_enabled'] = 0
+ settings['raw_enabled'] = 0
if language_code:
settings['language_code'] = language_code
settings['language_code'] = language_code
More information about the Zope-Checkins
mailing list