[Zope-Checkins] SVN: Zope/trunk/ Removed HTML tags from exception text of ``Unauthorized`` exception
Michael Howitz
mh at gocept.com
Wed Jan 25 12:50:14 UTC 2012
Log message for revision 124166:
Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
fixed. (Merged r124165 from 2.13 branch here.)
Changed:
U Zope/trunk/doc/CHANGES.rst
U Zope/trunk/src/ZPublisher/HTTPResponse.py
U Zope/trunk/src/ZPublisher/tests/exception_handling.txt
U Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py
-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst 2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/doc/CHANGES.rst 2012-01-25 12:50:14 UTC (rev 124166)
@@ -11,6 +11,10 @@
Bugs Fixed
++++++++++
+- Removed HTML tags from exception text of ``Unauthorized`` exception
+ because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
+ fixed.
+
- Use ``in`` operator instead of deprecated ``has_key`` method (which
is not implemented by ``OFS.ObjectManager``). This fixes an issue
with WebDAV requests for skin objects.
Modified: Zope/trunk/src/ZPublisher/HTTPResponse.py
===================================================================
--- Zope/trunk/src/ZPublisher/HTTPResponse.py 2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/src/ZPublisher/HTTPResponse.py 2012-01-25 12:50:14 UTC (rev 124166)
@@ -203,7 +203,7 @@
def setStatus(self, status, reason=None, lock=None):
""" Set the HTTP status code of the response
-
+
o The argument may either be an integer or a string from the
'status_reasons' dict values: status messages will be converted
to the correct integer value.
@@ -244,7 +244,7 @@
The response will include an HTTP header that sets a cookie on
cookie-enabled browsers with a key "name" and value
"value".
-
+
This value overwrites any previously set value for the
cookie in the Response object.
"""
@@ -263,7 +263,7 @@
def appendCookie(self, name, value):
""" Set an HTTP cookie.
-
+
Returns an HTTP header that sets a cookie on cookie-enabled
browsers with a key "name" and value "value". If a value for the
cookie has previously been set in the response object, the new
@@ -309,7 +309,7 @@
Return the value associated with a HTTP return header, or
None if no such header has been set in the response
yet.
-
+
If the 'literal' flag is true, preserve the case of the header name;
otherwise lower-case the header name before looking up the value.
"""
@@ -318,9 +318,9 @@
def setHeader(self, name, value, literal=0, scrubbed=False):
""" Set an HTTP return header on the response.
-
+
Replay any existing value set for the header.
-
+
If the 'literal' flag is true, preserve the case of the header name;
otherwise the header name will be lowercased.
@@ -355,7 +355,7 @@
def addHeader(self, name, value):
""" Set a new HTTP return header with the given value,
-
+
Retain any previously set headers with the same name.
Note that this API appneds to the 'accumulated_headers' attribute;
@@ -450,7 +450,7 @@
return
elif lock:
self._locked_body = 1
-
+
if not body:
return self
@@ -540,7 +540,7 @@
# vary on it. Otherwise if not forced, cache should
# respect Accept-Encoding client header
vary = self.getHeader('Vary')
- if vary is None or 'Accept-Encoding' not in vary:
+ if vary is None or 'Accept-Encoding' not in vary:
self.appendHeader('Vary', 'Accept-Encoding')
return self
@@ -737,12 +737,12 @@
self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)
def unauthorized(self):
- m = "<strong>You are not authorized to access this resource.</strong>"
+ m = "You are not authorized to access this resource."
if self.debug_mode:
if self._auth:
- m = m + '<p>\nUsername and password are not correct.</p>'
+ m = m + '\nUsername and password are not correct.'
else:
- m = m + '<p>\nNo Authorization header found.</p>'
+ m = m + '\nNo Authorization header found.'
raise Unauthorized(m)
def _setBCIHeaders(self, t, tb):
@@ -903,7 +903,7 @@
""" Set headers required by various parts of protocol.
"""
body = self.body
- if (not 'content-length' in self.headers and
+ if (not 'content-length' in self.headers and
not 'transfer-encoding' in self.headers):
self.setHeader('content-length', len(body))
return "%d %s" % (self.status, self.errmsg), self.listHeaders()
@@ -946,7 +946,7 @@
chunks.append("%s: %s" % (key, value))
# RFC 2616 mandates empty line between headers and payload
chunks.append('')
- chunks.append(body)
+ chunks.append(body)
return '\r\n'.join(chunks)
def write(self,data):
@@ -965,9 +965,9 @@
"""
if not self._wrote:
-
+
notify(PubBeforeStreaming(self))
-
+
self.outputBody()
self._wrote = 1
self.stdout.flush()
Modified: Zope/trunk/src/ZPublisher/tests/exception_handling.txt
===================================================================
--- Zope/trunk/src/ZPublisher/tests/exception_handling.txt 2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/src/ZPublisher/tests/exception_handling.txt 2012-01-25 12:50:14 UTC (rev 124166)
@@ -13,7 +13,7 @@
>>> browser.mech_browser.set_handle_redirect(False)
Create the objects that are raising exceptions.
-
+
>>> dummy = app.test_folder_1_._setObject('foo', ExceptionRaiser1())
>>> dummy = app.test_folder_1_._setObject('bar', ExceptionRaiser2())
>>> dummy = app.test_folder_1_._setObject('baz', ExceptionRaiser3())
@@ -170,7 +170,7 @@
>>> browser.open('http://localhost/test_folder_1_/bar')
Traceback (most recent call last):
...
- Unauthorized: <strong>You are not authorized to access this resource...
+ Unauthorized: You are not authorized to access this resource...
>>> browser.contents
Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'
Modified: Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py
===================================================================
--- Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py 2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py 2012-01-25 12:50:14 UTC (rev 124166)
@@ -880,8 +880,8 @@
response.unauthorized()
except Unauthorized, raised:
self.assertEqual(response.status, 200) # publisher sets 401 later
- self.assertTrue("<strong>You are not authorized "
- "to access this resource.</strong>" in str(raised))
+ self.assertTrue("You are not authorized "
+ "to access this resource." in str(raised))
else:
self.fail("Didn't raise Unauthorized")
@@ -892,8 +892,8 @@
try:
response.unauthorized()
except Unauthorized, raised:
- self.assertTrue("<p>\nNo Authorization header found.</p>"
- in str(raised))
+ self.assertTrue("\nNo Authorization header found."
+ in str(raised))
else:
self.fail("Didn't raise Unauthorized")
@@ -905,8 +905,8 @@
try:
response.unauthorized()
except Unauthorized, raised:
- self.assertTrue("<p>\nUsername and password are not correct.</p>"
- in str(raised))
+ self.assertTrue("\nUsername and password are not correct."
+ in str(raised))
else:
self.fail("Didn't raise Unauthorized")
More information about the Zope-Checkins
mailing list