[Zope-dev] Possible Zope 2.12 regression - Five page templates use restrictedTraverse for TAL
Martin Aspeli
optilude+lists at gmail.com
Sun Dec 13 04:45:03 EST 2009
On 13/12/09 16:49, Martin Aspeli wrote:
> On 13/12/09 10:52, Tres Seaver wrote:
>
>> Doesn't smell like a regression to me: the code there hasn't changed in
>> a good long while. Can you write a test case for it, so that we can
>> test against earlier versions?
>
> Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html
>
> This is the same problem.
>
> You said:
>
> "This is becuase
> 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
> 'python:' expressions; path traversal is still governed by
> 'boboAwareZopeTraverse', which uses 'restrictedTraverse'."
>
> and then:
>
> "As it turns out, it is only "partially trusted." The attached patch
> should make them "really trusted", at least for path expressions; does
> it help? I haven't added any tests, although my 2.10 branch checkout
> does pass all tests with this change"
>
> The attachment is here:
>
> http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachment.bin
>
> I'm going to poke around a Zope 2.12 checkout for a bit to see what
> sense I can make of this.
Okay, so it turns out your patch has gotten lost from Zope 2.10 to Zope
2.12.
This is the revision where it went in:
http://zope3.pov.lt/trac/changeset/77064/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py
I think that by accident this got committed with an unrelated change,
since the commit message says "Use Five 1.5.5" and there's a change in
svn:externals. Perhaps that's why this wasn't merged to trunk. The
latest merge I can see is at r71802.
This also makes me worry about
http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py?rev=78766
and
http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py?rev=93506,
which may not have been merged, but I'm too far down the rabbit hole now
to see clearly.
Anyway, I re-applied your patch to the Zope 2.12 branch. This broke one
test, in Products.Five:
self.assertEqual(engine.types['standard'], ZopePathExpr)
I'd argue that this test is testing for precisely the wrong thing, so I
updated this assertion and the ones to follow to check for:
self.assertEqual(engine.types['standard'], TrustedZopePathExpr)
This fixes the original issue I was seeing. All Zope 2.12 and Plone 4
tests pass with this as well.
I also think the fixed test in Five is now correct and sufficient, since
it checks that we get the trusted engine for ViewPageTemplateFile's.
Maybe we should have a functional test too, but I'm not sure how to set
that up.
I've committed this in r106436 and merged to trunk in r106437.
If anyone objects, please let me know and I'll back it out. Otherwise,
I'm hopeful for a 2.12.2 soon, as this breaks a few things in Plone. :-/
Martin
--
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book
More information about the Zope-Dev
mailing list