Log message for revision 124395: Make ObjectManager's ``get`` and ``__getitem__`` return only "items". No longer return attributes / methods from the class or from acquisition. Thanks to Richard Mitchell at Netsight for the report.
Changed: U Zope/trunk/doc/CHANGES.rst U Zope/trunk/src/OFS/ObjectManager.py U Zope/trunk/src/OFS/tests/testApplication.py U Zope/trunk/src/OFS/tests/testObjectManager.py -=- Modified: Zope/trunk/doc/CHANGES.rst =================================================================== --- Zope/trunk/doc/CHANGES.rst 2012-02-14 19:04:05 UTC (rev 124394) +++ Zope/trunk/doc/CHANGES.rst 2012-02-14 19:04:29 UTC (rev 124395) @@ -11,6 +11,10 @@ Bugs Fixed ++++++++++ +- Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only + "items" (no attributes / methods from the class or from acquisition). + Thanks to Richard Mitchell at Netsight for the report. + - Removed HTML tags from exception text of ``Unauthorized`` exception because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed. Modified: Zope/trunk/src/OFS/ObjectManager.py =================================================================== --- Zope/trunk/src/OFS/ObjectManager.py 2012-02-14 19:04:05 UTC (rev 124394) +++ Zope/trunk/src/OFS/ObjectManager.py 2012-02-14 19:04:29 UTC (rev 124395) @@ -23,6 +23,7 @@ import re import sys import time +from types import NoneType from AccessControl import ClassSecurityInfo from AccessControl.class_init import InitializeClass @@ -757,12 +758,13 @@ return self.manage_delObjects(ids=[name]) def __getitem__(self, key): - v=self._getOb(key, None) - if v is not None: return v - if hasattr(self, 'REQUEST'): - request=self.REQUEST + if key in self: + return self._getOb(key, None) + request = getattr(self, 'REQUEST', None) + if not isinstance(request, (str, NoneType)): method=request.get('REQUEST_METHOD', 'GET') - if request.maybe_webdav_client and not method in ('GET', 'POST'): + if (request.maybe_webdav_client and + method not in ('GET', 'POST')): return NullResource(self, key, request).__of__(self) raise KeyError, key @@ -783,7 +785,9 @@ security.declareProtected(access_contents_information, 'get') def get(self, key, default=None): - return self._getOb(key, default) + if key in self: + return self._getOb(key, default) + return default security.declareProtected(access_contents_information, 'keys') def keys(self): Modified: Zope/trunk/src/OFS/tests/testApplication.py =================================================================== --- Zope/trunk/src/OFS/tests/testApplication.py 2012-02-14 19:04:05 UTC (rev 124394) +++ Zope/trunk/src/OFS/tests/testApplication.py 2012-02-14 19:04:29 UTC (rev 124395) @@ -57,6 +57,7 @@ def test___bobo_traverse__attribute_miss_key_hit(self): app = self._makeOne() app._getOb = lambda x, y: x + app._objects = [{'id': 'OTHER', 'meta_type': None}] request = {} self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER') Modified: Zope/trunk/src/OFS/tests/testObjectManager.py =================================================================== --- Zope/trunk/src/OFS/tests/testObjectManager.py 2012-02-14 19:04:05 UTC (rev 124394) +++ Zope/trunk/src/OFS/tests/testObjectManager.py 2012-02-14 19:04:29 UTC (rev 124395) @@ -412,6 +412,22 @@ om = self._makeOne() self.assertTrue(om) + def test___getitem___miss(self): + om = self._makeOne() + self.assertRaises(KeyError, om.__getitem__, 'nonesuch') + + def test___getitem___miss_w_non_instance_attr(self): + om = self._makeOne() + self.assertRaises(KeyError, om.__getitem__, 'get') + + def test___getitem___hit(self): + om = self._makeOne() + si1 = SimpleItem('1') + om['1'] = si1 + got = om['1'] + self.assertTrue(got.aq_self is si1) + self.assertTrue(got.aq_parent is om) + def test_get_miss_wo_default(self): om = self._makeOne() self.assertEqual(om.get('nonesuch'), None) @@ -421,6 +437,10 @@ obj = object() self.assertTrue(om.get('nonesuch', obj) is obj) + def test_get_miss_w_non_instance_attr(self): + om = self._makeOne() + self.assertEqual(om.get('get'), None) + def test_get_hit(self): om = self._makeOne() si1 = SimpleItem('1') _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org https://mail.zope.org/mailman/listinfo/zope-checkins