[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/lib/python/OFS/ Better fix, with test, for error-during-standard_error_message with tainted error_value.
Tres Seaver
tseaver at palladion.com
Mon Jan 11 16:24:55 EST 2010
Log message for revision 108030:
Better fix, with test, for error-during-standard_error_message with tainted error_value.
Changed:
U Zope/branches/Zope-2_8-branch/lib/python/OFS/SimpleItem.py
A Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/test_SimpleItem.py
-=-
Modified: Zope/branches/Zope-2_8-branch/lib/python/OFS/SimpleItem.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/OFS/SimpleItem.py 2010-01-11 20:19:06 UTC (rev 108029)
+++ Zope/branches/Zope-2_8-branch/lib/python/OFS/SimpleItem.py 2010-01-11 21:24:55 UTC (rev 108030)
@@ -25,7 +25,6 @@
import Globals, App.Management, Acquisition, App.Undo
import AccessControl.Role, AccessControl.Owned, App.Common
from webdav.Resource import Resource
-from webdav.xmltools import escape as xml_escape
from ExtensionClass import Base
from ComputedAttribute import ComputedAttribute
from AccessControl import getSecurityManager, Unauthorized
@@ -218,7 +217,7 @@
exc_info=True
)
try:
- strv = str(error_value)
+ strv = repr(error_value) # quotes tainted strings
except:
strv = ('<unprintable %s object>' %
str(type(error_value).__name__))
@@ -228,7 +227,6 @@
"event log for full details: %s)")%(
html_quote(sys.exc_info()[1]),
))
- v = xml_escape(v)
raise error_type, v, tb
finally:
if hasattr(self, '_v_eek'): del self._v_eek
Added: Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/test_SimpleItem.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/test_SimpleItem.py (rev 0)
+++ Zope/branches/Zope-2_8-branch/lib/python/OFS/tests/test_SimpleItem.py 2010-01-11 21:24:55 UTC (rev 108030)
@@ -0,0 +1,51 @@
+import unittest
+
+class ItemTests(unittest.TestCase):
+
+ def _getTargetClass(self):
+ from OFS.SimpleItem import Item
+ return Item
+
+ def _makeOne(self, *args, **kw):
+ return self._getTargetClass()(*args, **kw)
+
+ def test_raise_StandardErrorMessage_str_errorValue(self):
+ item = self._makeOne()
+ def _raise_during_standard_error_message(*args, **kw):
+ raise ZeroDivisionError('testing')
+ item.standard_error_message = _raise_during_standard_error_message
+ try:
+ item.raise_standardErrorMessage(
+ error_type=OverflowError,
+ error_value='simple',
+ REQUEST={'dummy': ''},
+ )
+ except:
+ import sys
+ self.assertEqual(sys.exc_info()[0], 'OverflowError')
+ value = sys.exc_info()[1]
+ self.failUnless(value.startswith("'simple'"))
+ self.failUnless('full details: testing' in value)
+
+ def test_raise_StandardErrorMessage_TaintedString_errorValue(self):
+ from ZPublisher.TaintedString import TaintedString
+ item = self._makeOne()
+ def _raise_during_standard_error_message(*args, **kw):
+ raise ZeroDivisionError('testing')
+ item.standard_error_message = _raise_during_standard_error_message
+ try:
+ item.raise_standardErrorMessage(
+ error_type=OverflowError,
+ error_value=TaintedString('<simple>'),
+ REQUEST={'dummy': ''},
+ )
+ except:
+ import sys
+ self.assertEqual(sys.exc_info()[0], 'OverflowError')
+ value = sys.exc_info()[1]
+ self.failIf('<' in value)
+
+def test_suite():
+ return unittest.TestSuite((
+ unittest.makeSuite(ItemTests),
+ ))
More information about the Zope-Checkins
mailing list