Log message for revision 39044:
  Collector #1914: Harden 'call_with_ns' against namespaces from other callers.
  
  o Forward-port from 2.7 branch.
  

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py
  A   
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===================================================================
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt       2005-10-11 14:55:14 UTC 
(rev 39043)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt       2005-10-11 15:19:18 UTC 
(rev 39044)
@@ -33,6 +33,10 @@
 
     Bugs Fixed
 
+      - Collector #1914: Hardened 'call_with_ns' (in
+        'Products.PageTemplates.ZRPythonExpr') against namespaces from other
+        callers than page templates.
+
       - Collector #1490: Added a new zope.conf option to control the
         character set used to encode unicode data that reaches
         ZPublisher without any specified encoding.

Modified: 
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py
===================================================================
--- 
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py 
    2005-10-11 14:55:14 UTC (rev 39043)
+++ 
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/ZRPythonExpr.py 
    2005-10-11 15:19:18 UTC (rev 39044)
@@ -62,8 +62,11 @@
 
 def call_with_ns(f, ns, arg=1):
     td = Rtd()
-    td.this = ns['here']
-    td._push(ns['request'])
+    # prefer 'context' to 'here';  fall back to 'None'
+    this = ns.get('context', ns.get('here'))
+    td.this = this
+    request = ns.get('request', {})
+    td._push(request)
     td._push(InstanceDict(td.this, td))
     td._push(ns)
     try:

Added: 
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
===================================================================
--- 
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
   2005-10-11 14:55:14 UTC (rev 39043)
+++ 
Zope/branches/Zope-2_8-branch/lib/python/Products/PageTemplates/tests/testZRPythonExpr.py
   2005-10-11 15:19:18 UTC (rev 39044)
@@ -0,0 +1,48 @@
+""" Unit tests for Products.PageTemplates.ZRPythonExpr
+
+$Id
+"""
+import unittest
+
+class MiscTests(unittest.TestCase):
+
+    def test_call_with_ns_prefer_context_to_here(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        context = ['context']
+        here = ['here']
+        request = {'request': 1}
+        names = {'context' : context, 'here': here, 'request' : request}
+        result = call_with_ns(lambda td: td.this, names)
+        self.failUnless(result is context, result)
+
+    def test_call_with_ns_no_context_or_here(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        request = {'request': 1}
+        names = {'request' : request}
+        result = call_with_ns(lambda td: td.this, names)
+        self.failUnless(result is None, result)
+
+    def test_call_with_ns_no_request(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here}
+
+        def _find_request(td):
+            ns = td._pop()              # peel off 'ns'
+            instance_dict = td._pop()   # peel off InstanceDict
+            request = td._pop()
+            td._push(request)
+            td._push(instance_dict)
+            td._push(ns)
+            return request
+
+        result = call_with_ns(_find_request, names)
+        self.assertEqual(result, {})
+ 
+def test_suite():
+    return unittest.makeSuite(MiscTests)
+
+if __name__ == '__main__':
+    unittest.main(defaultTest='test_suite')
+

_______________________________________________
Zope-Checkins maillist  -  Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins

Reply via email to