[Zope-Checkins] CVS: Zope/lib/python/AccessControl - PermissionMapping.py:1.12 Role.py:1.54

Thu, 1 Aug 2002 12:01:10 -0400

Update of /cvs-repository/Zope/lib/python/AccessControl
In directory cvs.zope.org:/tmp/cvs-serv9325/lib/python/AccessControl

Modified Files:
	PermissionMapping.py Role.py 
Log Message:
Big change

- Make DTML automatically html quote data indirectly taken from REQUEST
  which contain a '<'. Make sure (almost) all string operation preserve the
  taint on this data.

- Fix exceptions that use REQUEST data; quote the data.

- Don't let form and cookie values mask the REQUEST computed values such as
  URL0 and BASE1.


=== Zope/lib/python/AccessControl/PermissionMapping.py 1.11 => 1.12 ===
 from Permission import pname
 from Owned import UnownableOwner
 from Globals import InitializeClass
+from cgi import escape
 
 class RoleManager:
     def manage_getPermissionMapping(self):
@@ -64,7 +65,7 @@
                 raise 'Permission mapping error', (
                     """Attempted to map a permission to a permission, %s,
                     that is not valid. This should never happen. (Waaa).
-                    """ % p)
+                    """ % escape(p))
             
 
             setPermissionMapping(name, wrapper, p)
@@ -118,7 +119,7 @@
         # We want to make sure that any non-explicitly set methods are
         # private!
         if name.startswith('_') and name.endswith("_Permission"): return ''
-        raise AttributeError, name
+        raise AttributeError, escape(name)
         
 PermissionMapper=PM
 


=== Zope/lib/python/AccessControl/Role.py 1.53 => 1.54 ===
 import Globals, ExtensionClass, PermissionMapping, Products
 from Permission import Permission
 from App.Common import aq_base
+from cgi import escape
 
 ListType=type([])
 
@@ -171,7 +172,8 @@
                 return
 
         raise 'Invalid Permission', (
-            "The permission <em>%s</em> is invalid." % permission_to_manage)
+            "The permission <em>%s</em> is invalid." % 
+                escape(permission_to_manage))
         
     _normal_manage_access=DTMLFile('dtml/access', globals())
 
@@ -244,7 +246,7 @@
                     valid_roles)
         
         raise 'Invalid Permission', (
-            "The permission <em>%s</em> is invalid." % permission)
+            "The permission <em>%s</em> is invalid." % escape(permission))
 
     def acquiredRolesAreUsedBy(self, permission):
         "used by management screen"
@@ -256,7 +258,7 @@
                 return type(roles) is ListType and 'CHECKED' or ''
         
         raise 'Invalid Permission', (
-            "The permission <em>%s</em> is invalid." % permission)
+            "The permission <em>%s</em> is invalid." % escape(permission))
 
 
     # Local roles support



