Commit e5e038ec authored by Michael Howitz's avatar Michael Howitz

- Removed HTML tags from exception text of ``Unauthorized`` exception

  because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
  fixed.
parent 634fdeca
...@@ -8,7 +8,9 @@ http://docs.zope.org/zope2/releases/. ...@@ -8,7 +8,9 @@ http://docs.zope.org/zope2/releases/.
2.13.13 (unreleased) 2.13.13 (unreleased)
-------------------- --------------------
- TBD - Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
fixed.
2.13.12 (2012-01-18) 2.13.12 (2012-01-18)
-------------------- --------------------
......
...@@ -203,7 +203,7 @@ class HTTPResponse(BaseResponse): ...@@ -203,7 +203,7 @@ class HTTPResponse(BaseResponse):
def setStatus(self, status, reason=None, lock=None): def setStatus(self, status, reason=None, lock=None):
""" Set the HTTP status code of the response """ Set the HTTP status code of the response
o The argument may either be an integer or a string from the o The argument may either be an integer or a string from the
'status_reasons' dict values: status messages will be converted 'status_reasons' dict values: status messages will be converted
to the correct integer value. to the correct integer value.
...@@ -244,7 +244,7 @@ class HTTPResponse(BaseResponse): ...@@ -244,7 +244,7 @@ class HTTPResponse(BaseResponse):
The response will include an HTTP header that sets a cookie on The response will include an HTTP header that sets a cookie on
cookie-enabled browsers with a key "name" and value cookie-enabled browsers with a key "name" and value
"value". "value".
This value overwrites any previously set value for the This value overwrites any previously set value for the
cookie in the Response object. cookie in the Response object.
""" """
...@@ -263,7 +263,7 @@ class HTTPResponse(BaseResponse): ...@@ -263,7 +263,7 @@ class HTTPResponse(BaseResponse):
def appendCookie(self, name, value): def appendCookie(self, name, value):
""" Set an HTTP cookie. """ Set an HTTP cookie.
Returns an HTTP header that sets a cookie on cookie-enabled Returns an HTTP header that sets a cookie on cookie-enabled
browsers with a key "name" and value "value". If a value for the browsers with a key "name" and value "value". If a value for the
cookie has previously been set in the response object, the new cookie has previously been set in the response object, the new
...@@ -309,7 +309,7 @@ class HTTPResponse(BaseResponse): ...@@ -309,7 +309,7 @@ class HTTPResponse(BaseResponse):
Return the value associated with a HTTP return header, or Return the value associated with a HTTP return header, or
None if no such header has been set in the response None if no such header has been set in the response
yet. yet.
If the 'literal' flag is true, preserve the case of the header name; If the 'literal' flag is true, preserve the case of the header name;
otherwise lower-case the header name before looking up the value. otherwise lower-case the header name before looking up the value.
""" """
...@@ -318,9 +318,9 @@ class HTTPResponse(BaseResponse): ...@@ -318,9 +318,9 @@ class HTTPResponse(BaseResponse):
def setHeader(self, name, value, literal=0, scrubbed=False): def setHeader(self, name, value, literal=0, scrubbed=False):
""" Set an HTTP return header on the response. """ Set an HTTP return header on the response.
Replay any existing value set for the header. Replay any existing value set for the header.
If the 'literal' flag is true, preserve the case of the header name; If the 'literal' flag is true, preserve the case of the header name;
otherwise the header name will be lowercased. otherwise the header name will be lowercased.
...@@ -332,7 +332,7 @@ class HTTPResponse(BaseResponse): ...@@ -332,7 +332,7 @@ class HTTPResponse(BaseResponse):
key = name.lower() key = name.lower()
# The following is crazy, given that we have APIs for cookies. # The following is crazy, given that we have APIs for cookies.
# Special behavior will go away in Zope 2.13 # Special behavior will go away in Zope 2.13
if key == 'set-cookie': if key == 'set-cookie':
self.accumulated_headers.append((name, value)) self.accumulated_headers.append((name, value))
else: else:
name = literal and name or key name = literal and name or key
...@@ -360,7 +360,7 @@ class HTTPResponse(BaseResponse): ...@@ -360,7 +360,7 @@ class HTTPResponse(BaseResponse):
def addHeader(self, name, value): def addHeader(self, name, value):
""" Set a new HTTP return header with the given value, """ Set a new HTTP return header with the given value,
Retain any previously set headers with the same name. Retain any previously set headers with the same name.
Note that this API appneds to the 'accumulated_headers' attribute; Note that this API appneds to the 'accumulated_headers' attribute;
...@@ -455,7 +455,7 @@ class HTTPResponse(BaseResponse): ...@@ -455,7 +455,7 @@ class HTTPResponse(BaseResponse):
return return
elif lock: elif lock:
self._locked_body = 1 self._locked_body = 1
if not body: if not body:
return self return self
...@@ -546,7 +546,7 @@ class HTTPResponse(BaseResponse): ...@@ -546,7 +546,7 @@ class HTTPResponse(BaseResponse):
# vary on it. Otherwise if not forced, cache should # vary on it. Otherwise if not forced, cache should
# respect Accept-Encoding client header # respect Accept-Encoding client header
vary = self.getHeader('Vary') vary = self.getHeader('Vary')
if vary is None or 'Accept-Encoding' not in vary: if vary is None or 'Accept-Encoding' not in vary:
self.appendHeader('Vary', 'Accept-Encoding') self.appendHeader('Vary', 'Accept-Encoding')
return self return self
...@@ -747,12 +747,12 @@ class HTTPResponse(BaseResponse): ...@@ -747,12 +747,12 @@ class HTTPResponse(BaseResponse):
self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1) self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)
def unauthorized(self): def unauthorized(self):
m = "<strong>You are not authorized to access this resource.</strong>" m = "You are not authorized to access this resource."
if self.debug_mode: if self.debug_mode:
if self._auth: if self._auth:
m = m + '<p>\nUsername and password are not correct.</p>' m = m + '\nUsername and password are not correct.'
else: else:
m = m + '<p>\nNo Authorization header found.</p>' m = m + '\nNo Authorization header found.'
raise Unauthorized, m raise Unauthorized, m
def _setBCIHeaders(self, t, tb): def _setBCIHeaders(self, t, tb):
...@@ -913,7 +913,7 @@ class HTTPResponse(BaseResponse): ...@@ -913,7 +913,7 @@ class HTTPResponse(BaseResponse):
""" Set headers required by various parts of protocol. """ Set headers required by various parts of protocol.
""" """
body = self.body body = self.body
if (not 'content-length' in self.headers and if (not 'content-length' in self.headers and
not 'transfer-encoding' in self.headers): not 'transfer-encoding' in self.headers):
self.setHeader('content-length', len(body)) self.setHeader('content-length', len(body))
return "%d %s" % (self.status, self.errmsg), self.listHeaders() return "%d %s" % (self.status, self.errmsg), self.listHeaders()
...@@ -956,7 +956,7 @@ class HTTPResponse(BaseResponse): ...@@ -956,7 +956,7 @@ class HTTPResponse(BaseResponse):
chunks.append("%s: %s" % (key, value)) chunks.append("%s: %s" % (key, value))
# RFC 2616 mandates empty line between headers and payload # RFC 2616 mandates empty line between headers and payload
chunks.append('') chunks.append('')
chunks.append(body) chunks.append(body)
return '\r\n'.join(chunks) return '\r\n'.join(chunks)
def write(self,data): def write(self,data):
...@@ -975,9 +975,9 @@ class HTTPResponse(BaseResponse): ...@@ -975,9 +975,9 @@ class HTTPResponse(BaseResponse):
""" """
if not self._wrote: if not self._wrote:
notify(PubBeforeStreaming(self)) notify(PubBeforeStreaming(self))
self.outputBody() self.outputBody()
self._wrote = 1 self._wrote = 1
self.stdout.flush() self.stdout.flush()
......
...@@ -13,7 +13,7 @@ Create the browser object we'll be using. ...@@ -13,7 +13,7 @@ Create the browser object we'll be using.
>>> browser.mech_browser.set_handle_redirect(False) >>> browser.mech_browser.set_handle_redirect(False)
Create the objects that are raising exceptions. Create the objects that are raising exceptions.
>>> dummy = app.test_folder_1_._setObject('foo', ExceptionRaiser1()) >>> dummy = app.test_folder_1_._setObject('foo', ExceptionRaiser1())
>>> dummy = app.test_folder_1_._setObject('bar', ExceptionRaiser2()) >>> dummy = app.test_folder_1_._setObject('bar', ExceptionRaiser2())
>>> dummy = app.test_folder_1_._setObject('baz', ExceptionRaiser3()) >>> dummy = app.test_folder_1_._setObject('baz', ExceptionRaiser3())
...@@ -192,7 +192,7 @@ Handle zExceptions.Unauthorized raised by BaseRequest.traverse. We take the ...@@ -192,7 +192,7 @@ Handle zExceptions.Unauthorized raised by BaseRequest.traverse. We take the
>>> browser.open('http://localhost/test_folder_1_/bar') >>> browser.open('http://localhost/test_folder_1_/bar')
Traceback (most recent call last): Traceback (most recent call last):
... ...
Unauthorized: <strong>You are not authorized to access this resource... Unauthorized: You are not authorized to access this resource...
>>> browser.contents >>> browser.contents
Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse' Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'
......
...@@ -902,8 +902,8 @@ class HTTPResponseTests(unittest.TestCase): ...@@ -902,8 +902,8 @@ class HTTPResponseTests(unittest.TestCase):
response.unauthorized() response.unauthorized()
except Unauthorized, raised: except Unauthorized, raised:
self.assertEqual(response.status, 200) # publisher sets 401 later self.assertEqual(response.status, 200) # publisher sets 401 later
self.assertTrue("<strong>You are not authorized " self.assertTrue("You are not authorized "
"to access this resource.</strong>" in str(raised)) "to access this resource." in str(raised))
else: else:
self.fail("Didn't raise Unauthorized") self.fail("Didn't raise Unauthorized")
...@@ -914,8 +914,8 @@ class HTTPResponseTests(unittest.TestCase): ...@@ -914,8 +914,8 @@ class HTTPResponseTests(unittest.TestCase):
try: try:
response.unauthorized() response.unauthorized()
except Unauthorized, raised: except Unauthorized, raised:
self.assertTrue("<p>\nNo Authorization header found.</p>" self.assertTrue("\nNo Authorization header found."
in str(raised)) in str(raised))
else: else:
self.fail("Didn't raise Unauthorized") self.fail("Didn't raise Unauthorized")
...@@ -927,8 +927,8 @@ class HTTPResponseTests(unittest.TestCase): ...@@ -927,8 +927,8 @@ class HTTPResponseTests(unittest.TestCase):
try: try:
response.unauthorized() response.unauthorized()
except Unauthorized, raised: except Unauthorized, raised:
self.assertTrue("<p>\nUsername and password are not correct.</p>" self.assertTrue("\nUsername and password are not correct."
in str(raised)) in str(raised))
else: else:
self.fail("Didn't raise Unauthorized") self.fail("Didn't raise Unauthorized")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment