[Zope-dev] Possible Zope 2.12 regression - Five page templates use restrictedTraverse for TAL

Tres Seaver tseaver at palladion.com
Mon Dec 14 16:45:59 EST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Aspeli wrote:
> On 13/12/09 16:49, Martin Aspeli wrote:
>> On 13/12/09 10:52, Tres Seaver wrote:
>>
>>> Doesn't smell like a regression to me:  the code there hasn't changed in
>>> a good long while.  Can you write a test case for it, so that we can
>>> test against earlier versions?
>> Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html
>>
>> This is the same problem.
>>
>> You said:
>>
>> "This is becuase
>> 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
>> 'python:' expressions;  path traversal is still governed by
>> 'boboAwareZopeTraverse', which uses 'restrictedTraverse'."
>>
>> and then:
>>
>> "As it turns out, it is only "partially trusted."  The attached patch
>> should make them "really trusted", at least for path expressions;  does
>> it help?  I haven't added any tests, although my 2.10 branch checkout
>> does pass all tests with this change"
>>
>> The attachment is here:
>>
>> http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachment.bin
>>
>> I'm going to poke around a Zope 2.12 checkout for a bit to see what
>> sense I can make of this.
> 
> Okay, so it turns out your patch has gotten lost from Zope 2.10 to Zope 
> 2.12.
> 
> This is the revision where it went in:
> 
> http://zope3.pov.lt/trac/changeset/77064/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py
> 
> I think that by accident this got committed with an unrelated change, 
> since the commit message says "Use Five 1.5.5" and there's a change in 
> svn:externals. Perhaps that's why this wasn't merged to trunk. The 
> latest merge I can see is at r71802.
> 
> This also makes me worry about 
> http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py?rev=78766 
> and 
> http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py?rev=93506, 
> which may not have been merged, but I'm too far down the rabbit hole now 
> to see clearly.
> 
> Anyway, I re-applied your patch to the Zope 2.12 branch. This broke one 
> test, in Products.Five:
> 
>    self.assertEqual(engine.types['standard'], ZopePathExpr)
> 
> I'd argue that this test is testing for precisely the wrong thing, so I 
> updated this assertion and the ones to follow to check for:
> 
>    self.assertEqual(engine.types['standard'], TrustedZopePathExpr)
> 
> This fixes the original issue I was seeing. All Zope 2.12 and Plone 4 
> tests pass with this as well.
> 
> I also think the fixed test in Five is now correct and sufficient, since 
> it checks that we get the trusted engine for ViewPageTemplateFile's. 
> Maybe we should have a functional test too, but I'm not sure how to set 
> that up.
> 
> I've committed this in r106436 and merged to trunk in r106437.

OK, sounds fine to me.  Can you merge to the 2.11 branch as well?  I
think Andreas will be releasing 2.9.x through 2.12.x fairly soon.

> If anyone objects, please let me know and I'll back it out. Otherwise, 
> I'm hopeful for a 2.12.2 soon, as this breaks a few things in Plone. :-/

Heh, and after you have been just posting about using SVN develop eggs
on  your blog. ;)



Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksmshYACgkQ+gerLs4ltQ4BNwCfctztlQ5F2uVVSPawCQ/sli2X
hpYAoNSveWbE+NUx6G6BYxSEDsFjaa2v
=wwi6
-----END PGP SIGNATURE-----

More information about the Zope-Dev mailing list