[Zope-Checkins] SVN: Zope/trunk/ Collector #1498: Don't choke on malformed cookies. Cookies of the form

Florent Guillaume fg at nuxeo.com
Fri Nov 26 13:50:12 EST 2004


Log message for revision 28527:
  Collector #1498: Don't choke on malformed cookies. Cookies of the form
  "foo=bar; hmm; baz=gee" will give an empty value for 'hmm' instead of
  silently discarding it and the rest of the string. (Thanks to 'sirilyan'
  for the patch.)
  
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/OFS/CopySupport.py
  U   Zope/trunk/lib/python/OFS/tests/testCopySupport.py
  U   Zope/trunk/lib/python/ZPublisher/HTTPRequest.py
  U   Zope/trunk/lib/python/ZPublisher/tests/testHTTPRequest.py

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt	2004-11-26 18:45:37 UTC (rev 28526)
+++ Zope/trunk/doc/CHANGES.txt	2004-11-26 18:50:11 UTC (rev 28527)
@@ -45,11 +45,16 @@
         text/<foo> types
 
     Bugs fixed
-    
+
+      - Collector #1498: Don't choke on malformed cookies. Cookies of
+        the form "foo=bar; hmm; baz=gee" will give an empty value for
+        'hmm' instead of silently discarding it and the rest of the
+        string. (Thanks to 'sirilyan' for the patch.)
+
       - bin/zopectl test now uses os.execv, instead os os.system,
         so that options with characters that needs shell quoting
         doesn't break the command.
-      
+
       - Collector #945:  Allow adding empty PythonScript instances
         programmatically.
 

Modified: Zope/trunk/lib/python/OFS/CopySupport.py
===================================================================
--- Zope/trunk/lib/python/OFS/CopySupport.py	2004-11-26 18:45:37 UTC (rev 28526)
+++ Zope/trunk/lib/python/OFS/CopySupport.py	2004-11-26 18:50:11 UTC (rev 28527)
@@ -14,7 +14,7 @@
 
 $Id$
 """
-import re, sys,  Globals, Moniker, tempfile, ExtensionClass
+import re, sys, Globals, Moniker, tempfile, ExtensionClass
 from marshal import loads, dumps
 from urllib import quote, unquote
 from zlib import compress, decompress
@@ -29,6 +29,8 @@
 
 CopyError='Copy Error'
 
+copy_re = re.compile('^copy([0-9]*)_of_(.*)')
+
 _marker=[]
 class CopyContainer(ExtensionClass.Base):
     """Interface for containerish objects which allow cut/copy/paste"""
@@ -113,19 +115,17 @@
             return self.manage_main(self, REQUEST)
         return cp
 
-    copy_re=re.compile('^copy[0-9]*_of_')
-
     def _get_id(self, id):
         # Allow containers to override the generation of
         # object copy id by attempting to call its _get_id
         # method, if it exists.
-        copy_match=self.copy_re.match(id)
-        if (copy_match) and (copy_match.end() < len(id)):
-            n=1
-            orig_id=self.copy_re.sub('', id)
+        match = copy_re.match(id)
+        if match:
+            n = int(match.group(1) or '1')
+            orig_id = match.group(2)
         else:
-            n=0
-            orig_id=id
+            n = 0
+            orig_id = id
         while 1:
             if self._getOb(id, None) is None:
                 return id

Modified: Zope/trunk/lib/python/OFS/tests/testCopySupport.py
===================================================================
--- Zope/trunk/lib/python/OFS/tests/testCopySupport.py	2004-11-26 18:45:37 UTC (rev 28526)
+++ Zope/trunk/lib/python/OFS/tests/testCopySupport.py	2004-11-26 18:50:11 UTC (rev 28527)
@@ -183,6 +183,43 @@
         self.failUnless( 'copy_of_file' in self.folder2.objectIds() )
         self.failUnless( result == [{'id':'file', 'new_id':'copy_of_file'}])
 
+    def testPasteSingleSameIDMultipleTimes(self):
+        cookie = self.folder1.manage_copyObjects(ids=('file',))
+        result = self.folder1.manage_pasteObjects(cookie)
+        self.assertEqual(self.folder1.objectIds(), ['file', 'copy_of_file'])
+        self.assertEqual(result, [{'id':'file', 'new_id':'copy_of_file'}])
+        # make another copy of file
+        cookie = self.folder1.manage_copyObjects(ids=('file',))
+        result = self.folder1.manage_pasteObjects(cookie)
+        self.assertEqual(self.folder1.objectIds(),
+                         ['file', 'copy_of_file', 'copy2_of_file'])
+        self.assertEqual(result, [{'id':'file', 'new_id':'copy2_of_file'}])
+        # now copy the copy
+        cookie = self.folder1.manage_copyObjects(ids=('copy_of_file',))
+        result = self.folder1.manage_pasteObjects(cookie)
+        self.assertEqual(self.folder1.objectIds(),
+                         ['file', 'copy_of_file', 'copy2_of_file',
+                         'copy3_of_file'])
+        self.assertEqual(result, [{'id':'copy_of_file',
+                                   'new_id':'copy3_of_file'}])
+        # or copy another copy
+        cookie = self.folder1.manage_copyObjects(ids=('copy2_of_file',))
+        result = self.folder1.manage_pasteObjects(cookie)
+        self.assertEqual(self.folder1.objectIds(),
+                         ['file', 'copy_of_file', 'copy2_of_file',
+                         'copy3_of_file', 'copy4_of_file'])
+        self.assertEqual(result, [{'id':'copy2_of_file',
+                                   'new_id':'copy4_of_file'}])
+
+    def testPasteSpecialName(self):
+        manage_addFile(self.folder1, 'copy_of_',
+                       file='', content_type='text/plain')
+        cookie = self.folder1.manage_copyObjects(ids=('copy_of_',))
+        result = self.folder1.manage_pasteObjects(cookie)
+        self.assertEqual(self.folder1.objectIds(),
+                         ['file', 'copy_of_', 'copy2_of_'])
+        self.assertEqual(result, [{'id':'copy_of_', 'new_id':'copy2_of_'}])
+
     def testPasteMultiNotSameID( self ):
         self.failUnless( 'file' in self.folder1.objectIds() )
         self.failIf( 'file1' in self.folder1.objectIds() )

Modified: Zope/trunk/lib/python/ZPublisher/HTTPRequest.py
===================================================================
--- Zope/trunk/lib/python/ZPublisher/HTTPRequest.py	2004-11-26 18:45:37 UTC (rev 28526)
+++ Zope/trunk/lib/python/ZPublisher/HTTPRequest.py	2004-11-26 18:50:11 UTC (rev 28527)
@@ -1438,6 +1438,8 @@
                     '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)'),
                  parmre=re.compile(
                     '([\x00- ]*([^\x00- ;,="]+)=([^\x00- ;,"]*)([\x00- ]*[;,])?[\x00- ]*)'),
+                 paramlessre=re.compile(
+                    '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)'),
 
                  acquire=parse_cookie_lock.acquire,
                  release=parse_cookie_lock.release,
@@ -1469,8 +1471,16 @@
                 value = mo_p.group(3)
 
             else:
-                return result
+                # Broken Cookie without = nor value.
+ 		broken_p = paramlessre.match(text)
+ 		if broken_p:
+ 		    l = len(broken_p.group(1))
+ 		    name = broken_p.group(2)
+ 		    value = ''
 
+                else:
+                    return result
+
     finally: release()
 
     if not already_have(name): result[name]=value

Modified: Zope/trunk/lib/python/ZPublisher/tests/testHTTPRequest.py
===================================================================
--- Zope/trunk/lib/python/ZPublisher/tests/testHTTPRequest.py	2004-11-26 18:45:37 UTC (rev 28526)
+++ Zope/trunk/lib/python/ZPublisher/tests/testHTTPRequest.py	2004-11-26 18:50:11 UTC (rev 28527)
@@ -564,7 +564,26 @@
         self._noTaintedValues(req)
         self._onlyTaintedformHoldsTaintedStrings(req)
 
+    def testCookieParsing(self):
+        env = {'SERVER_NAME': 'testingharnas', 'SERVER_PORT': '80'}
 
+        env['HTTP_COOKIE'] = 'foo=bar; baz=gee'
+        req = self._getHTTPRequest(env)
+        self.assertEquals(req.cookies['foo'], 'bar')
+        self.assertEquals(req.cookies['baz'], 'gee')
+
+        env['HTTP_COOKIE'] = 'foo=bar; baz="gee, like, e=mc^2"'
+        req = self._getHTTPRequest(env)
+        self.assertEquals(req.cookies['foo'], 'bar')
+        self.assertEquals(req.cookies['baz'], 'gee, like, e=mc^2')
+
+        # Collector #1498: empty cookies
+        env['HTTP_COOKIE'] = 'foo=bar; hmm; baz=gee'
+        req = self._getHTTPRequest(env)
+        self.assertEquals(req.cookies['foo'], 'bar')
+        self.assertEquals(req.cookies['hmm'], '')
+        self.assertEquals(req.cookies['baz'], 'gee')
+
 TEST_ENVIRON = {
     'CONTENT_TYPE': 'multipart/form-data; boundary=12345',
     'REQUEST_METHOD': 'POST',



More information about the Zope-Checkins mailing list