Log message for revision 41707: Backported r41704:41705 from 2.9 branch because it is a security fix. Under Python 2.4 the ZPublisher would allow publication of 'set' and 'frozenset' attributes.
Changed: U Zope/branches/Zope-2_8-branch/doc/CHANGES.txt U Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py U Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py -=- Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt =================================================================== --- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2006-02-19 18:46:57 UTC (rev 41706) +++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt 2006-02-19 18:53:08 UTC (rev 41707) @@ -28,7 +28,8 @@ Bugs Fixed - ZPublisher.BaseRequest: The publisher would happily publish attributes - of type 'bool' and 'complex'. + of type 'bool' and 'complex', as well as Python 2.4's 'set' and + 'frozenset'. - Collector #1991: ZPublisher did not deal properly with a trailing %20 in the URL Modified: Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py =================================================================== --- Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py 2006-02-19 18:46:57 UTC (rev 41706) +++ Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/BaseRequest.py 2006-02-19 18:53:08 UTC (rev 41707) @@ -566,6 +566,7 @@ # Zope 3 by then :) import types +import sys itypes = {} for name in ('NoneType', 'IntType', 'LongType', 'FloatType', 'StringType', @@ -576,6 +577,11 @@ if hasattr(types, name): itypes[getattr(types, name)] = 0 +# Python 2.4 no longer maintains the types module. +if sys.version_info >= (2, 4): + itypes[set] = 0 + itypes[frozenset] = 0 + def typeCheck(obj, deny=itypes): # Return true if its ok to publish the type, false otherwise. return deny.get(type(obj), 1) Modified: Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py =================================================================== --- Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py 2006-02-19 18:46:57 UTC (rev 41706) +++ Zope/branches/Zope-2_8-branch/lib/python/ZPublisher/tests/testBaseRequest.py 2006-02-19 18:53:08 UTC (rev 41707) @@ -239,7 +239,18 @@ self.assertRaises(NotFound, r.traverse, 'folder/simpleBoolean') self.assertRaises(NotFound, r.traverse, 'folder/simpleComplex') + import sys + if sys.version_info >= (2, 4): + def test_traverse_set_type(self): + from ZPublisher import NotFound + self.f1.simpleSet = set([]) + self.f1.simpleFrozenSet = frozenset([]) + r = self.makeBaseRequest() + self.assertRaises(NotFound, r.traverse, 'folder/simpleSet') + self.assertRaises(NotFound, r.traverse, 'folder/simpleFrozenSet') + + def test_suite(): return TestSuite( ( makeSuite(TestBaseRequest), ) ) _______________________________________________ Zope-Checkins maillist - Zope-Checkins@zope.org http://mail.zope.org/mailman/listinfo/zope-checkins