[Zope-Checkins] SVN: Zope/branches/2.13/ - Removed HTML tags from exception text of ``Unauthorized`` exception
Michael Howitz
mh at gocept.com
Wed Jan 25 12:46:19 UTC 2012
Log message for revision 124165:
- Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
fixed.
Changed:
U Zope/branches/2.13/doc/CHANGES.rst
U Zope/branches/2.13/src/ZPublisher/HTTPResponse.py
U Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt
U Zope/branches/2.13/src/ZPublisher/tests/testHTTPResponse.py
-=-
Modified: Zope/branches/2.13/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.13/doc/CHANGES.rst 2012-01-24 23:25:16 UTC (rev 124164)
+++ Zope/branches/2.13/doc/CHANGES.rst 2012-01-25 12:46:18 UTC (rev 124165)
@@ -8,7 +8,9 @@
2.13.13 (unreleased)
--------------------
-- TBD
+- Removed HTML tags from exception text of ``Unauthorized`` exception
+ because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
+ fixed.
2.13.12 (2012-01-18)
--------------------
Modified: Zope/branches/2.13/src/ZPublisher/HTTPResponse.py
===================================================================
--- Zope/branches/2.13/src/ZPublisher/HTTPResponse.py 2012-01-24 23:25:16 UTC (rev 124164)
+++ Zope/branches/2.13/src/ZPublisher/HTTPResponse.py 2012-01-25 12:46:18 UTC (rev 124165)
@@ -203,7 +203,7 @@
def setStatus(self, status, reason=None, lock=None):
""" Set the HTTP status code of the response
-
+
o The argument may either be an integer or a string from the
'status_reasons' dict values: status messages will be converted
to the correct integer value.
@@ -244,7 +244,7 @@
The response will include an HTTP header that sets a cookie on
cookie-enabled browsers with a key "name" and value
"value".
-
+
This value overwrites any previously set value for the
cookie in the Response object.
"""
@@ -263,7 +263,7 @@
def appendCookie(self, name, value):
""" Set an HTTP cookie.
-
+
Returns an HTTP header that sets a cookie on cookie-enabled
browsers with a key "name" and value "value". If a value for the
cookie has previously been set in the response object, the new
@@ -309,7 +309,7 @@
Return the value associated with a HTTP return header, or
None if no such header has been set in the response
yet.
-
+
If the 'literal' flag is true, preserve the case of the header name;
otherwise lower-case the header name before looking up the value.
"""
@@ -318,9 +318,9 @@
def setHeader(self, name, value, literal=0, scrubbed=False):
""" Set an HTTP return header on the response.
-
+
Replay any existing value set for the header.
-
+
If the 'literal' flag is true, preserve the case of the header name;
otherwise the header name will be lowercased.
@@ -332,7 +332,7 @@
key = name.lower()
# The following is crazy, given that we have APIs for cookies.
# Special behavior will go away in Zope 2.13
- if key == 'set-cookie':
+ if key == 'set-cookie':
self.accumulated_headers.append((name, value))
else:
name = literal and name or key
@@ -360,7 +360,7 @@
def addHeader(self, name, value):
""" Set a new HTTP return header with the given value,
-
+
Retain any previously set headers with the same name.
Note that this API appneds to the 'accumulated_headers' attribute;
@@ -455,7 +455,7 @@
return
elif lock:
self._locked_body = 1
-
+
if not body:
return self
@@ -546,7 +546,7 @@
# vary on it. Otherwise if not forced, cache should
# respect Accept-Encoding client header
vary = self.getHeader('Vary')
- if vary is None or 'Accept-Encoding' not in vary:
+ if vary is None or 'Accept-Encoding' not in vary:
self.appendHeader('Vary', 'Accept-Encoding')
return self
@@ -747,12 +747,12 @@
self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)
def unauthorized(self):
- m = "<strong>You are not authorized to access this resource.</strong>"
+ m = "You are not authorized to access this resource."
if self.debug_mode:
if self._auth:
- m = m + '<p>\nUsername and password are not correct.</p>'
+ m = m + '\nUsername and password are not correct.'
else:
- m = m + '<p>\nNo Authorization header found.</p>'
+ m = m + '\nNo Authorization header found.'
raise Unauthorized, m
def _setBCIHeaders(self, t, tb):
@@ -913,7 +913,7 @@
""" Set headers required by various parts of protocol.
"""
body = self.body
- if (not 'content-length' in self.headers and
+ if (not 'content-length' in self.headers and
not 'transfer-encoding' in self.headers):
self.setHeader('content-length', len(body))
return "%d %s" % (self.status, self.errmsg), self.listHeaders()
@@ -956,7 +956,7 @@
chunks.append("%s: %s" % (key, value))
# RFC 2616 mandates empty line between headers and payload
chunks.append('')
- chunks.append(body)
+ chunks.append(body)
return '\r\n'.join(chunks)
def write(self,data):
@@ -975,9 +975,9 @@
"""
if not self._wrote:
-
+
notify(PubBeforeStreaming(self))
-
+
self.outputBody()
self._wrote = 1
self.stdout.flush()
Modified: Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt
===================================================================
--- Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt 2012-01-24 23:25:16 UTC (rev 124164)
+++ Zope/branches/2.13/src/ZPublisher/tests/exception_handling.txt 2012-01-25 12:46:18 UTC (rev 124165)
@@ -13,7 +13,7 @@
>>> browser.mech_browser.set_handle_redirect(False)
Create the objects that are raising exceptions.
-
+
>>> dummy = app.test_folder_1_._setObject('foo', ExceptionRaiser1())
>>> dummy = app.test_folder_1_._setObject('bar', ExceptionRaiser2())
>>> dummy = app.test_folder_1_._setObject('baz', ExceptionRaiser3())
@@ -192,7 +192,7 @@
>>> browser.open('http://localhost/test_folder_1_/bar')
Traceback (most recent call last):
...
- Unauthorized: <strong>You are not authorized to access this resource...
+ Unauthorized: You are not authorized to access this resource...
>>> browser.contents
Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'
Modified: Zope/branches/2.13/src/ZPublisher/tests/testHTTPResponse.py
===================================================================
--- Zope/branches/2.13/src/ZPublisher/tests/testHTTPResponse.py 2012-01-24 23:25:16 UTC (rev 124164)
+++ Zope/branches/2.13/src/ZPublisher/tests/testHTTPResponse.py 2012-01-25 12:46:18 UTC (rev 124165)
@@ -902,8 +902,8 @@
response.unauthorized()
except Unauthorized, raised:
self.assertEqual(response.status, 200) # publisher sets 401 later
- self.assertTrue("<strong>You are not authorized "
- "to access this resource.</strong>" in str(raised))
+ self.assertTrue("You are not authorized "
+ "to access this resource." in str(raised))
else:
self.fail("Didn't raise Unauthorized")
@@ -914,8 +914,8 @@
try:
response.unauthorized()
except Unauthorized, raised:
- self.assertTrue("<p>\nNo Authorization header found.</p>"
- in str(raised))
+ self.assertTrue("\nNo Authorization header found."
+ in str(raised))
else:
self.fail("Didn't raise Unauthorized")
@@ -927,8 +927,8 @@
try:
response.unauthorized()
except Unauthorized, raised:
- self.assertTrue("<p>\nUsername and password are not correct.</p>"
- in str(raised))
+ self.assertTrue("\nUsername and password are not correct."
+ in str(raised))
else:
self.fail("Didn't raise Unauthorized")
More information about the Zope-Checkins
mailing list