[Zope-Checkins] SVN: Zope/trunk/ Prevent ZPublisher from insering incorrect <base/> tags into the

Brian Sutherland jinty at web.de
Mon Mar 26 13:37:08 EDT 2007 

Log message for revision 73639:
  Prevent ZPublisher from insering incorrect <base/> tags into the
  headers of plain html files served from Zope3 resource directories.
  
  Also cleanup whitespace in CHANGES.txt.
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/Products/Five/browser/resource.py
  U   Zope/trunk/lib/python/Products/Five/browser/tests/resource_ftest.txt
  A   Zope/trunk/lib/python/Products/Five/browser/tests/resource_subdir/resource.html

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt	2007-03-26 16:27:10 UTC (rev 73638)
+++ Zope/trunk/doc/CHANGES.txt	2007-03-26 17:37:07 UTC (rev 73639)
@@ -70,7 +70,7 @@
         ISO-8859-15. For other encodings you might set the environment variable
         ZPT_REFERRED_ENCODING to insert your preferred encoding in front of
         utf-8 and ISO-8859-15 within the encoding sniffer code.
-        
+
         In addition there is a new 'output_encodings' property that controls
         the conversion from/to unicode for WebDAV/FTP operations.
 
@@ -80,12 +80,12 @@
         Products/PageTemplates/(configure.zcml, unicodeconflictresolver.py,
         interfaces.py)
 
-      - AccessControl.Role: added new method 
+      - AccessControl.Role: added new method
         manage_getUserRolesAndPermissions().
- 
-      - AccessControl: the form behind the "Security" tab has a new form 
-        for user-related reporting of permissions and roles 
 
+      - AccessControl: the form behind the "Security" tab has a new form
+        for user-related reporting of permissions and roles
+
     Bugs Fixed
 
       - Collector #2298: webdav.Resource.COPY and webdav.Resource.MOVE did
@@ -97,7 +97,7 @@
 
       - Collector #2294: Protected DOS-able ControlPanel methods with the
         same 'requestmethod' wrapper.
-  
+
       - Collector #2294: Protected various security mutators with a new
         'postonly' decorator.  The decorator limits method publishing to
         POST requests only, and is a backport from Zope 2.11's requestmethod
@@ -109,9 +109,9 @@
         is looked up.
 
       - PageTemplate/ZRPythonExpr.py: expressions represented as unicode string
-        caused UnicodeDecodeErrors. 
+        caused UnicodeDecodeErrors.
 
-      - PluginIndexes: Fixed 'parseIndexRequest' for false values. 
+      - PluginIndexes: Fixed 'parseIndexRequest' for false values.
 
       - Collector #2269: fixed broken ZPT FTP support
 
@@ -190,6 +190,9 @@
 
       - Collector #2187: PUT_factory broken (fwd port from 2.10 branch).
 
+      - Prevent ZPublisher from insering incorrect <base/> tags into the
+        headers of plain html files served from Zope3 resource directories.
+
     Other Changes
 
       - Disabled docutils file inclusion completely, rather than trying

Modified: Zope/trunk/lib/python/Products/Five/browser/resource.py
===================================================================
--- Zope/trunk/lib/python/Products/Five/browser/resource.py	2007-03-26 16:27:10 UTC (rev 73638)
+++ Zope/trunk/lib/python/Products/Five/browser/resource.py	2007-03-26 17:37:07 UTC (rev 73639)
@@ -61,6 +61,9 @@
 
     def render(self):
         """Rendered content"""
+        # ZPublisher might have called setBody with an incorrect URL
+        # we definitely don't want that if we are plain html
+        self.request.RESPONSE.setBase(None)
         pt = self.context
         return pt(self.request)
 

Modified: Zope/trunk/lib/python/Products/Five/browser/tests/resource_ftest.txt
===================================================================
--- Zope/trunk/lib/python/Products/Five/browser/tests/resource_ftest.txt	2007-03-26 16:27:10 UTC (rev 73638)
+++ Zope/trunk/lib/python/Products/Five/browser/tests/resource_ftest.txt	2007-03-26 17:37:07 UTC (rev 73639)
@@ -78,6 +78,33 @@
   <BLANKLINE>
 
 
+We also can traverse into sub-directories:
+
+  >>> print http(r'''
+  ... GET /test_folder_1_/testoid/++resource++fivetest_resources/resource_subdir/resource.txt HTTP/1.1
+  ... Authorization: Basic manager:r00t
+  ... ''')
+  HTTP/1.1 200 OK
+  ...
+  This is a resource in a subdirectory of a normal resource to test traversal.
+  <BLANKLINE>
+
+  >>> print http(r'''
+  ... GET /test_folder_1_/testoid/++resource++fivetest_resources/resource_subdir/resource.html HTTP/1.1
+  ... Authorization: Basic manager:r00t
+  ... ''')
+  HTTP/1.1 200 OK
+  ...
+  <html>
+      <head>
+      </head>
+      <body>
+          This .html should not have a base tag automatically
+          added to the header.
+      </body>
+  </html>
+  <BLANKLINE>
+
 Clean up
 --------
 

Added: Zope/trunk/lib/python/Products/Five/browser/tests/resource_subdir/resource.html
===================================================================
--- Zope/trunk/lib/python/Products/Five/browser/tests/resource_subdir/resource.html	2007-03-26 16:27:10 UTC (rev 73638)
+++ Zope/trunk/lib/python/Products/Five/browser/tests/resource_subdir/resource.html	2007-03-26 17:37:07 UTC (rev 73639)
@@ -0,0 +1,8 @@
+<html>
+    <head>
+    </head>
+    <body>
+        This .html should not have a base tag automatically
+        added to the header.
+    </body>
+</html>

More information about the Zope-Checkins mailing list