Commit bf924768 authored by Martijn Pieters's avatar Martijn Pieters

XML-RPC requests would cause REQUEST_METHOD to be cleared to avoid searching

for 'index_html' default views. This breaks things like Cookie Crumbler. And
yes, when you use a JavaScript XML-RPC library, the browser could include an
authentication cookie for CookieCrumbler.

Instead, do not clear REQUEST_METHOD but check for a xmlrpc.Response object
when initiating the variable that will cause 'index_html' views to be used.

This fixes Zope Collector issue #528.
parent fbc5a0df
...@@ -129,6 +129,10 @@ Zope Changes ...@@ -129,6 +129,10 @@ Zope Changes
- Collector #465: Allow XML-RPC requests with no <params /> tag. - Collector #465: Allow XML-RPC requests with no <params /> tag.
- Collector #528: Don't clear REQUEST_METHOD for XML-RPC requests;
instead check for an XML-RPC Response objetc in
BaseRequest.traverse.
Features Added Features Added
- Browser ids can now be encoded in the URL and Zope can be - Browser ids can now be encoded in the URL and Zope can be
......
...@@ -10,9 +10,10 @@ ...@@ -10,9 +10,10 @@
# FOR A PARTICULAR PURPOSE # FOR A PARTICULAR PURPOSE
# #
############################################################################## ##############################################################################
__version__='$Revision: 1.49 $'[11:-2] __version__='$Revision: 1.50 $'[11:-2]
from urllib import quote from urllib import quote
import xmlrpc
UNSPECIFIED_ROLES='' UNSPECIFIED_ROLES=''
...@@ -196,7 +197,8 @@ class BaseRequest: ...@@ -196,7 +197,8 @@ class BaseRequest:
# How did this request come in? (HTTP GET, PUT, POST, etc.) # How did this request come in? (HTTP GET, PUT, POST, etc.)
method=req_method=request_get('REQUEST_METHOD', 'GET').upper() method=req_method=request_get('REQUEST_METHOD', 'GET').upper()
if method=='GET' or method=='POST': if method=='GET' or method=='POST' and not isinstance(response,
xmlrpc.Response):
# Probably a browser # Probably a browser
no_acquire_flag=0 no_acquire_flag=0
# index_html is still the default method, only any object can # index_html is still the default method, only any object can
......
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
############################################################################## ##############################################################################
__version__='$Revision: 1.80 $'[11:-2] __version__='$Revision: 1.81 $'[11:-2]
import re, sys, os, urllib, time, random, cgi, codecs import re, sys, os, urllib, time, random, cgi, codecs
from BaseRequest import BaseRequest from BaseRequest import BaseRequest
...@@ -373,7 +373,6 @@ class HTTPRequest(BaseRequest): ...@@ -373,7 +373,6 @@ class HTTPRequest(BaseRequest):
meth, self.args = xmlrpc.parse_input(fs.value) meth, self.args = xmlrpc.parse_input(fs.value)
response=xmlrpc.response(response) response=xmlrpc.response(response)
other['RESPONSE']=self.response=response other['RESPONSE']=self.response=response
other['REQUEST_METHOD']='' # We don't want index_html!
self.maybe_webdav_client = 0 self.maybe_webdav_client = 0
else: else:
self._file=fs.file self._file=fs.file
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment