[Zope-Checkins] CVS: Zope/lib/python/ZTUtils - SimpleTree.py:1.5 Tree.py:1.18

Tres Seaver tseaver at zope.com
Thu Jan 15 18:00:48 EST 2004 

Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv22749

Modified Files:
	SimpleTree.py Tree.py 
Log Message:


  - SimpleTree.py:  CGI escapes (merged from 2.6 / 2.7 audit).

  - Tree.py:  prevent DoS agains tree state cookie decompression (merged
    from 2.6 / 2.7 audit).


=== Zope/lib/python/ZTUtils/SimpleTree.py 1.4 => 1.5 ===
--- Zope/lib/python/ZTUtils/SimpleTree.py:1.4	Thu Oct  3 17:08:40 2002
+++ Zope/lib/python/ZTUtils/SimpleTree.py	Thu Jan 15 18:00:17 2004
@@ -16,6 +16,7 @@
 __version__='$Revision$'[11:-2]
 
 from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
 
 class SimpleTreeNode(TreeNode):
     def branch(self):
@@ -35,9 +36,10 @@
         obid = self.id
         pre = self.aq_acquire('tree_pre')
 
-        return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
-                                                      exnum, obid, obid),
-        'img': '<img src="%s/p_/%s" alt="%s" border="0">' % (base, img, setst)}
+        return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+                        (pre, setst[0], exnum, obid, obid),
+                'img': '<img src="%s/p_/%s" alt="%s" border="0">' % \
+                        (escape(base, 1), img, setst)}
 
 
 class SimpleTreeMaker(TreeMaker):


=== Zope/lib/python/ZTUtils/Tree.py 1.17 => 1.18 ===
--- Zope/lib/python/ZTUtils/Tree.py:1.17	Thu Dec 11 13:02:15 2003
+++ Zope/lib/python/ZTUtils/Tree.py	Thu Jan 15 18:00:17 2004
@@ -220,7 +220,7 @@
                            type(0L):1, type(None):1 }.has_key):
     return is_simple(type(ob))
 
-from binascii import b2a_base64, a2b_base64
+import base64
 from string import translate, maketrans
 import zlib
 
@@ -232,23 +232,11 @@
 
     Encoded string use only alpahnumeric characters, and "._-".
     '''
-    s = str(s)
-    if len(s) <= 57:
-        return translate(b2a_base64(s)[:-1], a2u_map)
-    frags = []
-    for i in range(0, len(s), 57):
-        frags.append(b2a_base64(s[i:i + 57])[:-1])
-    return translate(''.join(frags), a2u_map)
+    return translate(base64.encodestring(str(s)), a2u_map)
 
 def a2b(s):
     '''Decode a b2a-encoded string.'''
-    s = translate(s, u2a_map)
-    if len(s) <= 76:
-        return a2b_base64(s)
-    frags = []
-    for i in range(0, len(s), 76):
-        frags.append(a2b_base64(s[i:i + 76]))
-    return ''.join(frags)
+    return base64.decodestring(translate(s, u2a_map))
 
 def encodeExpansion(nodes, compress=1):
     '''Encode the expanded node ids of a tree into a string.
@@ -288,8 +276,9 @@
     if s[0] == ':': # Compressed state
         dec = zlib.decompressobj()
         s = dec.decompress(a2b(s[1:]), maxsize)
-        if dec.decompress('', 1):
+        if dec.unconsumed_tail:
             raise ValueError('Encoded node map too large')
+        del dec
     
     map = m = {}
     mstack = []

More information about the Zope-Checkins mailing list