[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ - Collector #1863: Prevent possibly sensitive information to leak via

Sat, 01 Oct 2005 06:07:53 -0700 

Log message for revision 38709:
  - Collector #1863: Prevent possibly sensitive information to leak via
    the TransientObject's __repr__ method.
  

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py
  U   
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt       2005-09-30 22:53:49 UTC 
(rev 38708)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt       2005-10-01 13:20:29 UTC 
(rev 38709)
@@ -31,6 +31,9 @@
 
     Bugs Fixed
 
+      - Collector #1863: Prevent possibly sensitive information to leak via
+        the TransientObject's __repr__ method.
+
       - Repaired 'handle_errors' usage for doctests, along with the
         supporting 'debug' argument passed to
         'ZPublisher.Test.publish_module'.

Modified: 
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py
===================================================================
--- 
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py 
    2005-09-30 22:53:49 UTC (rev 38708)
+++ 
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/TransientObject.py 
    2005-10-01 13:20:29 UTC (rev 38709)
@@ -256,8 +256,8 @@
         return "%s%s" % (t, d)
 
     def __repr__(self):
-        return "id: %s, token: %s, contents: %s" % (
-            self.id, self.token, `self.items()`
+        return "id: %s, token: %s, contents keys: %s" % (
+            self.id, self.token, `self.keys()`
             )
 
 def lastmodified_sort(d1, d2):

Modified: 
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py
===================================================================
--- 
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py
   2005-09-30 22:53:49 UTC (rev 38708)
+++ 
Zope/branches/Zope-2_8-branch/lib/python/Products/Transience/tests/testTransientObject.py
   2005-10-01 13:20:29 UTC (rev 38709)
@@ -115,6 +115,14 @@
         t.delete('foobie')
         self.assertEqual(t.get('foobie'), None)
 
+    def test_repr_leaking_information(self):
+        # __repr__ used to show all contents, which could lead to sensitive
+        # information being visible in e.g. the ErrorLog object.
+        t = self.t.new('password-storing-session')
+        t.set('__ac_password__', 'secret')
+        self.failIf( repr(t).find('secret') != -1
+                   , '__repr__ leaks: %s' % repr(t)
+                   ) 
 
 def test_suite():
     testsuite = makeSuite(TestTransientObject, 'test')

_______________________________________________
Zope-Checkins maillist  -  Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins

Reply via email to