[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ Backport fix for LP #490514: preserve tainting when calling into DTML from ZPT.

Tres Seaver tseaver at palladion.com
Mon Jan 11 16:25:52 EST 2010 

Log message for revision 108031:
  Backport fix for LP #490514: preserve tainting when calling into DTML from ZPT.
  

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py
  U   Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2010-01-11 21:24:55 UTC (rev 108030)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt	2010-01-11 21:25:51 UTC (rev 108031)
@@ -6,6 +6,8 @@
 
   Zope 2.8.12 (2010/01/12)
 
+  - LP #490514: preserve tainting when calling into DTML from ZPT.
+
   - LP #491224: proper escaping of rendered error message
 
   Zope 2.8.11 (2009/08/06)

Modified: Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py	2010-01-11 21:24:55 UTC (rev 108030)
+++ Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py	2010-01-11 21:25:51 UTC (rev 108031)
@@ -66,6 +66,8 @@
     this = ns.get('context', ns.get('here'))
     td.this = this
     request = ns.get('request', {})
+    if hasattr(request, 'taintWrapper'):
+        request = request.taintWrapper()
     td._push(request)
     td._push(InstanceDict(td.this, td))
     td._push(ns)

Modified: Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
===================================================================
--- Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py	2010-01-11 21:24:55 UTC (rev 108030)
+++ Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py	2010-01-11 21:25:51 UTC (rev 108031)
@@ -39,6 +39,18 @@
 
         result = call_with_ns(_find_request, names)
         self.assertEqual(result, {})
+
+    def test_call_with_request_preserves_tainting(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        class Request(dict):
+            def taintWrapper(self):
+                return {'tainted': 'found'}
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here, 'request' : Request()}
+
+        found = call_with_ns(lambda td: td['tainted'], names)
+        self.assertEqual(found, 'found')
  
 def test_suite():
     return unittest.makeSuite(MiscTests)

More information about the Zope-Checkins mailing list