Log message for revision 93507: Launchpad #174705: ensure that the error info object exposed to a 'tal:on_error' handler has attributes visible to restricted code.
Changed: U Zope/branches/2.11/doc/CHANGES.txt U Zope/branches/2.11/lib/python/Products/PageTemplates/Expressions.py U Zope/branches/2.11/lib/python/Products/PageTemplates/tests/testExpressions.py -=- Modified: Zope/branches/2.11/doc/CHANGES.txt =================================================================== --- Zope/branches/2.11/doc/CHANGES.txt 2008-12-01 18:07:36 UTC (rev 93506) +++ Zope/branches/2.11/doc/CHANGES.txt 2008-12-01 18:09:08 UTC (rev 93507) @@ -7,6 +7,9 @@ Zope 2.11.3 (unreleased) Bugs Fixed + + - Launchpad #174705: ensure that the error info object exposed to a + 'tal:on_error' handler has attributes visible to restricted code. - Testing.ZopeTestCase: Remove quota argument from DemoStorage calls in preparation for ZODB 3.9. Modified: Zope/branches/2.11/lib/python/Products/PageTemplates/Expressions.py =================================================================== --- Zope/branches/2.11/lib/python/Products/PageTemplates/Expressions.py 2008-12-01 18:07:36 UTC (rev 93506) +++ Zope/branches/2.11/lib/python/Products/PageTemplates/Expressions.py 2008-12-01 18:09:08 UTC (rev 93507) @@ -23,7 +23,9 @@ from zope.component import getUtility from zope.component.interfaces import ComponentLookupError from zope.interface import implements -from zope.tales.tales import Context, Iterator +from zope.tales.tales import Context +from zope.tales.tales import ErrorInfo as BaseErrorInfo +from zope.tales.tales import Iterator from zope.tales.expressions import PathExpr, StringExpr, NotExpr from zope.tales.expressions import DeferExpr, SubPathExpr, Undefs from zope.tales.pythonexpr import PythonExpr @@ -245,7 +247,24 @@ # objects return unicode(text) + def createErrorInfo(self, err, position): + # Override, returning an object accessible to untrusted code. + # See: https://bugs.launchpad.net/zope2/+bug/174705 + return ErrorInfo(err, position) + def evaluateCode(self, lang, code): + """ See ITALExpressionEngine. + + o This method is a fossil: nobody actually calls it, but the + interface requires it. + """ + raise NotImplementedError + +class ErrorInfo(BaseErrorInfo): + """Information about an exception passed to an on-error handler. + """ + __allow_access_to_unprotected_subobjects__ = True + class ZopeEngine(zope.app.pagetemplate.engine.ZopeEngine): _create_context = ZopeContext Modified: Zope/branches/2.11/lib/python/Products/PageTemplates/tests/testExpressions.py =================================================================== --- Zope/branches/2.11/lib/python/Products/PageTemplates/tests/testExpressions.py 2008-12-01 18:07:36 UTC (rev 93506) +++ Zope/branches/2.11/lib/python/Products/PageTemplates/tests/testExpressions.py 2008-12-01 18:09:08 UTC (rev 93507) @@ -227,11 +227,47 @@ self.assertEqual(resolver.resolve(None, 'äüö', None), u'\ufffd\ufffd\ufffd') +class ZopeContextTests(unittest.TestCase): + + def _getTargetClass(self): + from Products.PageTemplates.Expressions import ZopeContext + return ZopeContext + + def _makeOne(self, engine=None, contexts=None): + if engine is None: + engine = self._makeEngine() + if contexts is None: + contexts = {} + return self._getTargetClass()(engine, contexts) + + def _makeEngine(self): + class DummyEngine: + pass + return DummyEngine() + + def test_class_conforms_to_ITALExpressionEngine(self): + from zope.interface.verify import verifyClass + from zope.tal.interfaces import ITALExpressionEngine + verifyClass(ITALExpressionEngine, self._getTargetClass()) + + def test_instance_conforms_to_ITALExpressionEngine(self): + from zope.interface.verify import verifyObject + from zope.tal.interfaces import ITALExpressionEngine + verifyObject(ITALExpressionEngine, self._makeOne()) + + def test_createErrorInfo_returns_unrestricted_object(self): + # See: https://bugs.launchpad.net/zope2/+bug/174705 + context = self._makeOne() + info = context.createErrorInfo(AttributeError('nonesuch'), (12, 3)) + self.failUnless(info.type is AttributeError) + self.assertEqual(info.__allow_access_to_unprotected_subobjects__, 1) + def test_suite(): return unittest.TestSuite(( unittest.makeSuite(UntrustedEngineTests), unittest.makeSuite(TrustedEngineTests), - unittest.makeSuite(UnicodeEncodingConflictResolverTests) + unittest.makeSuite(UnicodeEncodingConflictResolverTests), + unittest.makeSuite(ZopeContextTests), )) if __name__=='__main__':
_______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins