Commit a5fa5771 authored by Jens Vagelpohl's avatar Jens Vagelpohl

- Collector #1863: Prevent possibly sensitive information to leak via

  the TransientObject's __repr__ method.
parent e117fb70
......@@ -31,6 +31,9 @@ Zope Changes
Bugs Fixed
- Collector #1863: Prevent possibly sensitive information to leak via
the TransientObject's __repr__ method.
- Repaired 'handle_errors' usage for doctests, along with the
supporting 'debug' argument passed to
'ZPublisher.Test.publish_module'.
......
......@@ -256,8 +256,8 @@ class TransientObject(Persistent, Implicit):
return "%s%s" % (t, d)
def __repr__(self):
return "id: %s, token: %s, contents: %s" % (
self.id, self.token, `self.items()`
return "id: %s, token: %s, contents keys: %s" % (
self.id, self.token, `self.keys()`
)
def lastmodified_sort(d1, d2):
......
......@@ -115,6 +115,14 @@ class TestTransientObject(TestCase):
t.delete('foobie')
self.assertEqual(t.get('foobie'), None)
def test_repr_leaking_information(self):
# __repr__ used to show all contents, which could lead to sensitive
# information being visible in e.g. the ErrorLog object.
t = self.t.new('password-storing-session')
t.set('__ac_password__', 'secret')
self.failIf( repr(t).find('secret') != -1
, '__repr__ leaks: %s' % repr(t)
)
def test_suite():
testsuite = makeSuite(TestTransientObject, 'test')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment