-----BEGIN PGP SIGNED MESSAGE-----
Martin Aspeli wrote:
> On 13/12/09 16:49, Martin Aspeli wrote:
>> On 13/12/09 10:52, Tres Seaver wrote:
>>> Doesn't smell like a regression to me: the code there hasn't changed in
>>> a good long while. Can you write a test case for it, so that we can
>>> test against earlier versions?
>> Aha! http://codespeak.net/pipermail/z3-five/2007q2/002185.html
>> This is the same problem.
>> You said:
>> "This is becuase
>> 'Products.PageTemplates.Expression.createTrustedZopeEngine' only trusts
>> 'python:' expressions; path traversal is still governed by
>> 'boboAwareZopeTraverse', which uses 'restrictedTraverse'."
>> and then:
>> "As it turns out, it is only "partially trusted." The attached patch
>> should make them "really trusted", at least for path expressions; does
>> it help? I haven't added any tests, although my 2.10 branch checkout
>> does pass all tests with this change"
>> The attachment is here:
>> I'm going to poke around a Zope 2.12 checkout for a bit to see what
>> sense I can make of this.
> Okay, so it turns out your patch has gotten lost from Zope 2.10 to Zope
> This is the revision where it went in:
> I think that by accident this got committed with an unrelated change,
> since the commit message says "Use Five 1.5.5" and there's a change in
> svn:externals. Perhaps that's why this wasn't merged to trunk. The
> latest merge I can see is at r71802.
> This also makes me worry about
> which may not have been merged, but I'm too far down the rabbit hole now
> to see clearly.
> Anyway, I re-applied your patch to the Zope 2.12 branch. This broke one
> test, in Products.Five:
> self.assertEqual(engine.types['standard'], ZopePathExpr)
> I'd argue that this test is testing for precisely the wrong thing, so I
> updated this assertion and the ones to follow to check for:
> self.assertEqual(engine.types['standard'], TrustedZopePathExpr)
> This fixes the original issue I was seeing. All Zope 2.12 and Plone 4
> tests pass with this as well.
> I also think the fixed test in Five is now correct and sufficient, since
> it checks that we get the trusted engine for ViewPageTemplateFile's.
> Maybe we should have a functional test too, but I'm not sure how to set
> that up.
> I've committed this in r106436 and merged to trunk in r106437.
OK, sounds fine to me. Can you merge to the 2.11 branch as well? I
think Andreas will be releasing 2.9.x through 2.12.x fairly soon.
> If anyone objects, please let me know and I'll back it out. Otherwise,
> I'm hopeful for a 2.12.2 soon, as this breaks a few things in Plone. :-/
Heh, and after you have been just posting about using SVN develop eggs
on your blog. ;)
Tres Seaver +1 540-429-0999 tsea...@palladion.com
Palladion Software "Excellence by Design" http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -