Log message for revision 38709: - Collector #1863: Prevent possibly sensitive information to leak via the TransientObject's __repr__ method.
Changed: U Zope/branches/Zope-2_8-branch/doc/CHANGES.txt U Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py U Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py -=- Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt =================================================================== --- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2005-09-30 22:53:49 UTC (rev 38708) +++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2005-10-01 13:20:29 UTC (rev 38709) @@ -31,6 +31,9 @@ Bugs Fixed + - Collector #1863: Prevent possibly sensitive information to leak via + the TransientObject's __repr__ method. + - Repaired 'handle_errors' usage for doctests, along with the supporting 'debug' argument passed to 'ZPublisher.Test.publish_module'. Modified: Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py =================================================================== --- Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py 2005-09-30 22:53:49 UTC (rev 38708) +++ Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py 2005-10-01 13:20:29 UTC (rev 38709) @@ -256,8 +256,8 @@ return "%s%s" % (t, d) def __repr__(self): - return "id: %s, token: %s, contents: %s" % ( - self.id, self.token, `self.items()` + return "id: %s, token: %s, contents keys: %s" % ( + self.id, self.token, `self.keys()` ) def lastmodified_sort(d1, d2): Modified: Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py =================================================================== --- Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py 2005-09-30 22:53:49 UTC (rev 38708) +++ Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py 2005-10-01 13:20:29 UTC (rev 38709) @@ -115,6 +115,14 @@ t.delete('foobie') self.assertEqual(t.get('foobie'), None) + def test_repr_leaking_information(self): + # __repr__ used to show all contents, which could lead to sensitive + # information being visible in e.g. the ErrorLog object. + t = self.t.new('password-storing-session') + t.set('__ac_password__', 'secret') + self.failIf( repr(t).find('secret') != -1 + , '__repr__ leaks: %s' % repr(t) + ) def test_suite(): testsuite = makeSuite(TestTransientObject, 'test') _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins