[Zope-Checkins] CVS: Zope/lib/python/ZPublisher - HTTPResponse.py:1.79 xmlrpc.py:1.17

Tres Seaver tseaver at zope.com
Thu Jan 15 18:02:08 EST 2004


Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv23317/ZPublisher

Modified Files:
	HTTPResponse.py xmlrpc.py 
Log Message:


  - HTTPResponse.py:  CGI escapes (merged from 2.6 / 2.7 audit).

  - xmlrpc.py:  Exclude "private" attributes when marshalling an instance
    as an XML-RPC dict (merged from 2.6 / 2.7 audit).


=== Zope/lib/python/ZPublisher/HTTPResponse.py 1.78 => 1.79 ===
--- Zope/lib/python/ZPublisher/HTTPResponse.py:1.78	Fri Dec 26 18:48:18 2003
+++ Zope/lib/python/ZPublisher/HTTPResponse.py	Thu Jan 15 18:02:08 2004
@@ -461,7 +461,8 @@
                     ibase = base_re_search(body)
                     if ibase is None:
                         self.body = ('%s\n<base href="%s" />\n%s' %
-                                   (body[:index], self.base, body[index:]))
+                                   (body[:index], self.quoteHTML(self.base),
+                                    body[index:]))
                         self.setHeader('content-length', len(self.body))
 
     def appendCookie(self, name, value):


=== Zope/lib/python/ZPublisher/xmlrpc.py 1.16 => 1.17 ===
--- Zope/lib/python/ZPublisher/xmlrpc.py:1.16	Wed Jul 23 14:12:26 2003
+++ Zope/lib/python/ZPublisher/xmlrpc.py	Thu Jan 15 18:02:08 2004
@@ -100,6 +100,16 @@
             # Convert Fault object to XML-RPC response.
             body=xmlrpclib.dumps(body, methodresponse=1)
         else:
+            if type(body) == InstanceType:
+                # Avoid disclosing private members. Private members are
+                # by convention named with a leading underscore char.
+                orig = body.__dict__
+                dict = {}
+                for key in orig.keys():
+                    if key[:1] != '_':
+                        dict[key] = orig[key]
+                body = dict
+
             # Marshall our body as an XML-RPC response. Strings will be sent
             # strings, integers as integers, etc. We do *not* convert
             # everything to a string first.




More information about the Zope-Checkins mailing list