Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Z
Zope
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
Zope
Commits
31d14b29
Commit
31d14b29
authored
Dec 13, 2009
by
Martin Aspeli
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix regression in treatment of trusted code in view page templates.
parent
03905b42
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
41 additions
and
10 deletions
+41
-10
doc/CHANGES.rst
doc/CHANGES.rst
+6
-0
src/Products/Five/browser/tests/test_pagetemplatefile.py
src/Products/Five/browser/tests/test_pagetemplatefile.py
+5
-5
src/Products/PageTemplates/Expressions.py
src/Products/PageTemplates/Expressions.py
+30
-5
No files found.
doc/CHANGES.rst
View file @
31d14b29
...
...
@@ -27,6 +27,12 @@ Features Added
Bugs Fixed
++++++++++
- Fixed a regression in Products.PageTemplates that meant filesystem templates
using Products.Five.browser.pagetemplatefile would treat TALES path
expressions (but not python expressions) as protected code and so attempt
to apply security. See original issue here:
http://codespeak.net/pipermail/z3-five/2007q2/002185.html
- LP #491249: fix tabindex on ZRDB connection test form.
- LP #490514: preserve tainting when calling into DTML from ZPT.
...
...
src/Products/Five/browser/tests/test_pagetemplatefile.py
View file @
31d14b29
...
...
@@ -42,15 +42,15 @@ class ViewPageTemplateFileTests(unittest.TestCase):
from
zope.tales.pythonexpr
import
PythonExpr
from
zope.contentprovider.tales
import
TALESProviderExpression
from
Products.PageTemplates.DeferExpr
import
LazyExpr
from
Products.PageTemplates.Expressions
import
ZopePathExpr
from
Products.PageTemplates.Expressions
import
Trusted
ZopePathExpr
from
Products.PageTemplates.Expressions
import
SecureModuleImporter
vptf
=
self
.
_makeOne
(
'seagull.pt'
)
engine
=
vptf
.
pt_getEngine
()
self
.
assertEqual
(
engine
.
types
[
'standard'
],
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'path'
],
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'exists'
],
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'nocall'
],
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'standard'
],
Trusted
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'path'
],
Trusted
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'exists'
],
Trusted
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'nocall'
],
Trusted
ZopePathExpr
)
self
.
assertEqual
(
engine
.
types
[
'string'
],
StringExpr
)
self
.
assertEqual
(
engine
.
types
[
'python'
],
PythonExpr
)
self
.
assertEqual
(
engine
.
types
[
'not'
],
NotExpr
)
...
...
src/Products/PageTemplates/Expressions.py
View file @
31d14b29
...
...
@@ -79,6 +79,26 @@ def boboAwareZopeTraverse(object, path_items, econtext):
request
=
request
)
return
object
def
trustedBoboAwareZopeTraverse
(
object
,
path_items
,
econtext
):
"""Traverses a sequence of names, first trying attributes then items.
This uses Zope 3 path traversal where possible and interacts
correctly with objects providing OFS.interface.ITraversable when
necessary (bobo-awareness).
"""
request
=
getattr
(
econtext
,
'request'
,
None
)
path_items
=
list
(
path_items
)
path_items
.
reverse
()
while
path_items
:
name
=
path_items
.
pop
()
if
OFS
.
interfaces
.
ITraversable
.
providedBy
(
object
):
object
=
object
.
unrestrictedTraverse
(
name
)
else
:
object
=
traversePathElement
(
object
,
name
,
path_items
,
request
=
request
)
return
object
def
render
(
ob
,
ns
):
"""Calls the object, possibly a document template, or just returns
it if not callable. (From DT_Util.py)
...
...
@@ -104,11 +124,13 @@ def render(ob, ns):
class
ZopePathExpr
(
PathExpr
):
_TRAVERSER
=
staticmethod
(
boboAwareZopeTraverse
)
def
__init__
(
self
,
name
,
expr
,
engine
):
if
not
expr
.
strip
():
expr
=
'nothing'
super
(
ZopePathExpr
,
self
).
__init__
(
name
,
expr
,
engine
,
boboAwareZopeTraverse
)
self
.
_TRAVERSER
)
# override this to support different call metrics (see bottom of
# method) and Zope 2's traversal exceptions (ZopeUndefs instead of
...
...
@@ -146,6 +168,9 @@ class ZopePathExpr(PathExpr):
return
1
return
0
class
TrustedZopePathExpr
(
ZopePathExpr
):
_TRAVERSER
=
staticmethod
(
trustedBoboAwareZopeTraverse
)
class
SafeMapping
(
MultiMapping
):
"""Mapping with security declarations and limited method exposure.
...
...
@@ -347,11 +372,11 @@ class PathIterator(ZopeIterator):
return
False
return
ob1
==
ob2
def
createZopeEngine
():
def
createZopeEngine
(
zpe
=
ZopePathExpr
):
e
=
ZopeEngine
()
e
.
iteratorFactory
=
PathIterator
for
pt
in
ZopePathExpr
.
_default_type_names
:
e
.
registerType
(
pt
,
ZopePathExpr
)
for
pt
in
zpe
.
_default_type_names
:
e
.
registerType
(
pt
,
zpe
)
e
.
registerType
(
'string'
,
StringExpr
)
e
.
registerType
(
'python'
,
ZRPythonExpr
.
PythonExpr
)
e
.
registerType
(
'not'
,
NotExpr
)
...
...
@@ -364,7 +389,7 @@ def createZopeEngine():
def
createTrustedZopeEngine
():
# same as createZopeEngine, but use non-restricted Python
# expression evaluator
e
=
createZopeEngine
()
e
=
createZopeEngine
(
TrustedZopePathExpr
)
e
.
types
[
'python'
]
=
PythonExpr
return
e
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment