-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Aspeli wrote: > On 13/12/09 16:49, Martin Aspeli wrote: >> On 13/12/09 10:52, Tres Seaver wrote: >> >>> Doesn't smell like a regression to me: the code there hasn't changed in >>> a good long while. Can you write a test case for it, so that we can >>> test against earlier versions? >> Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html >> >> This is the same problem. >> >> You said: >> >> "This is becuase >> 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts >> 'python:' expressions; path traversal is still governed by >> 'boboAwareZopeTraverse', which uses 'restrictedTraverse'." >> >> and then: >> >> "As it turns out, it is only "partially trusted." The attached patch >> should make them "really trusted", at least for path expressions; does >> it help? I haven't added any tests, although my 2.10 branch checkout >> does pass all tests with this change" >> >> The attachment is here: >> >> http://codespeak.net/pipermail/z3-five/attachments/20070506/7f8a9ea8/attachment.bin >> >> I'm going to poke around a Zope 2.12 checkout for a bit to see what >> sense I can make of this. > > Okay, so it turns out your patch has gotten lost from Zope 2.10 to Zope > 2.12. > > This is the revision where it went in: > > http://zope3.pov.lt/trac/changeset/77064/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py > > I think that by accident this got committed with an unrelated change, > since the commit message says "Use Five 1.5.5" and there's a change in > svn:externals. Perhaps that's why this wasn't merged to trunk. The > latest merge I can see is at r71802. > > This also makes me worry about > http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py?rev=78766 > > and > http://zope3.pov.lt/trac/browser/Zope/branches/2.10/lib/python/Products/PageTemplates/Expressions.py?rev=93506, > > which may not have been merged, but I'm too far down the rabbit hole now > to see clearly. > > Anyway, I re-applied your patch to the Zope 2.12 branch. This broke one > test, in Products.Five: > > self.assertEqual(engine.types['standard'], ZopePathExpr) > > I'd argue that this test is testing for precisely the wrong thing, so I > updated this assertion and the ones to follow to check for: > > self.assertEqual(engine.types['standard'], TrustedZopePathExpr) > > This fixes the original issue I was seeing. All Zope 2.12 and Plone 4 > tests pass with this as well. > > I also think the fixed test in Five is now correct and sufficient, since > it checks that we get the trusted engine for ViewPageTemplateFile's. > Maybe we should have a functional test too, but I'm not sure how to set > that up. > > I've committed this in r106436 and merged to trunk in r106437.
OK, sounds fine to me. Can you merge to the 2.11 branch as well? I think Andreas will be releasing 2.9.x through 2.12.x fairly soon. > If anyone objects, please let me know and I'll back it out. Otherwise, > I'm hopeful for a 2.12.2 soon, as this breaks a few things in Plone. :-/ Heh, and after you have been just posting about using SVN develop eggs on your blog. ;) Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksmshYACgkQ+gerLs4ltQ4BNwCfctztlQ5F2uVVSPawCQ/sli2X hpYAoNSveWbE+NUx6G6BYxSEDsFjaa2v =wwi6 -----END PGP SIGNATURE----- _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )