[Zope-Checkins] SVN: Zope/branches/2.9/ Backport fix for LP #490514: preserve tainting when calling into DTML from ZPT.

Tres Seaver tseaver at palladion.com
Mon Jan 11 16:36:17 EST 2010


Log message for revision 108033:
  Backport fix for LP #490514:  preserve tainting when calling into DTML from ZPT.
  

Changed:
  U   Zope/branches/2.9/doc/CHANGES.txt
  U   Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py
  U   Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py

-=-
Modified: Zope/branches/2.9/doc/CHANGES.txt
===================================================================
--- Zope/branches/2.9/doc/CHANGES.txt	2010-01-11 21:33:47 UTC (rev 108032)
+++ Zope/branches/2.9/doc/CHANGES.txt	2010-01-11 21:36:17 UTC (rev 108033)
@@ -6,6 +6,8 @@
 
   Zope 2.9.12 (2010/01/12)
 
+      - LP #490514:  preserve tainting when calling into DTML from ZPT.
+
       - LP #491224: proper escaping of rendered error message
 
   Zope 2.9.11 (2009/08/06)

Modified: Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py
===================================================================
--- Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py	2010-01-11 21:33:47 UTC (rev 108032)
+++ Zope/branches/2.9/lib/python/Products/PageTemplates/ZRPythonExpr.py	2010-01-11 21:36:17 UTC (rev 108033)
@@ -66,6 +66,8 @@
     this = ns.get('context', ns.get('here'))
     td.this = this
     request = ns.get('request', {})
+    if hasattr(request, 'taintWrapper'):
+        request = request.taintWrapper()
     td._push(request)
     td._push(InstanceDict(td.this, td))
     td._push(ns)

Modified: Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
===================================================================
--- Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py	2010-01-11 21:33:47 UTC (rev 108032)
+++ Zope/branches/2.9/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py	2010-01-11 21:36:17 UTC (rev 108033)
@@ -39,6 +39,18 @@
 
         result = call_with_ns(_find_request, names)
         self.assertEqual(result, {})
+
+    def test_call_with_request_preserves_tainting(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        class Request(dict):
+            def taintWrapper(self):
+                return {'tainted': 'found'}
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here, 'request' : Request()}
+
+        found = call_with_ns(lambda td: td['tainted'], names)
+        self.assertEqual(found, 'found')
  
 def test_suite():
     return unittest.makeSuite(MiscTests)



More information about the Zope-Checkins mailing list