Commit e5e038ec authored by Michael Howitz's avatar Michael Howitz

- Removed HTML tags from exception text of ``Unauthorized`` exception

  because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
  fixed.
parent 634fdeca
......@@ -8,7 +8,9 @@ http://docs.zope.org/zope2/releases/.
2.13.13 (unreleased)
--------------------
- TBD
- Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
fixed.
2.13.12 (2012-01-18)
--------------------
......
......@@ -747,12 +747,12 @@ class HTTPResponse(BaseResponse):
self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)
def unauthorized(self):
m = "<strong>You are not authorized to access this resource.</strong>"
m = "You are not authorized to access this resource."
if self.debug_mode:
if self._auth:
m = m + '<p>\nUsername and password are not correct.</p>'
m = m + '\nUsername and password are not correct.'
else:
m = m + '<p>\nNo Authorization header found.</p>'
m = m + '\nNo Authorization header found.'
raise Unauthorized, m
def _setBCIHeaders(self, t, tb):
......
......@@ -192,7 +192,7 @@ Handle zExceptions.Unauthorized raised by BaseRequest.traverse. We take the
>>> browser.open('http://localhost/test_folder_1_/bar')
Traceback (most recent call last):
...
Unauthorized: <strong>You are not authorized to access this resource...
Unauthorized: You are not authorized to access this resource...
>>> browser.contents
Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'
......
......@@ -902,8 +902,8 @@ class HTTPResponseTests(unittest.TestCase):
response.unauthorized()
except Unauthorized, raised:
self.assertEqual(response.status, 200) # publisher sets 401 later
self.assertTrue("<strong>You are not authorized "
"to access this resource.</strong>" in str(raised))
self.assertTrue("You are not authorized "
"to access this resource." in str(raised))
else:
self.fail("Didn't raise Unauthorized")
......@@ -914,7 +914,7 @@ class HTTPResponseTests(unittest.TestCase):
try:
response.unauthorized()
except Unauthorized, raised:
self.assertTrue("<p>\nNo Authorization header found.</p>"
self.assertTrue("\nNo Authorization header found."
in str(raised))
else:
self.fail("Didn't raise Unauthorized")
......@@ -927,7 +927,7 @@ class HTTPResponseTests(unittest.TestCase):
try:
response.unauthorized()
except Unauthorized, raised:
self.assertTrue("<p>\nUsername and password are not correct.</p>"
self.assertTrue("\nUsername and password are not correct."
in str(raised))
else:
self.fail("Didn't raise Unauthorized")
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment