From tseaver at zope.com Thu Jan 8 15:12:13 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.10.6.2
Message-ID: <200401082012.i08KCDhY029886@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv29583/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_6-branch
Zope.py
Log Message:
- Enforce new restrictions on untrusted code, identified during
the December 2003 security audit. These issues affect sites
that allow untrusted users to write Python Scripts, Page Templates,
and DTML:
o Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
o List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
o Use of 'import as. in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
o A number of newer built-ins (min, max, enumerate, iter, sum)
were either unavailable in untrusted code or did not perform
adequate security checking.
o Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
o DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
=== Zope/lib/python/ZTUtils/Zope.py 1.10.6.1 => 1.10.6.2 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.10.6.1 Mon Oct 7 15:45:10 2002
+++ Zope/lib/python/ZTUtils/Zope.py Thu Jan 8 15:12:12 2004
@@ -23,18 +23,8 @@
from AccessControl import getSecurityManager
from types import StringType, ListType, IntType, FloatType
from DateTime import DateTime
-
-try:
- from AccessControl.ZopeGuards import guarded_getitem
-except ImportError:
- Unauthorized = 'Unauthorized'
- def guarded_getitem(object, index):
- v = object[index]
- if getSecurityManager().validate(object, object, index, v):
- return v
- raise Unauthorized, 'unauthorized access to element %s' % `i`
-else:
- from AccessControl import Unauthorized
+from AccessControl.ZopeGuards import guarded_getitem
+from AccessControl import Unauthorized
class LazyFilter(Lazy):
# A LazyFilter that checks with the security policy
From tseaver at zope.com Thu Jan 8 15:12:39 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
Expressions.py:1.36.6.10 ZRPythonExpr.py:1.10.6.1
Message-ID: <200401082012.i08KCdMt029923@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv29583/lib/python/Products/PageTemplates
Modified Files:
Tag: Zope-2_6-branch
Expressions.py ZRPythonExpr.py
Log Message:
- Enforce new restrictions on untrusted code, identified during
the December 2003 security audit. These issues affect sites
that allow untrusted users to write Python Scripts, Page Templates,
and DTML:
o Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
o List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
o Use of 'import as. in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
o A number of newer built-ins (min, max, enumerate, iter, sum)
were either unavailable in untrusted code or did not perform
adequate security checking.
o Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
o DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.36.6.9 => 1.36.6.10 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.36.6.9 Thu Sep 26 17:35:17 2002
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Thu Jan 8 15:12:08 2004
@@ -54,12 +54,7 @@
from AccessControl import Unauthorized
except ImportError:
Unauthorized = "Unauthorized"
- if hasattr(AccessControl, 'full_read_guard'):
- from ZRPythonExpr import PythonExpr, _SecureModuleImporter, \
- call_with_ns
- else:
- from ZPythonExpr import PythonExpr, _SecureModuleImporter, \
- call_with_ns
+ from ZRPythonExpr import PythonExpr, _SecureModuleImporter, call_with_ns
else:
from PythonExpr import getSecurityManager, PythonExpr
guarded_getattr = getattr
@@ -313,7 +308,7 @@
# Skip directly to item access
o = object[name]
# Check access to the item.
- if not validate(object, object, name, o):
+ if not validate(object, object, None, o):
raise Unauthorized, name
object = o
continue
@@ -368,7 +363,7 @@
raise
else:
# Check access to the item.
- if not validate(object, object, name, o):
+ if not validate(object, object, None, o):
raise Unauthorized, name
object = o
=== Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py 1.10 => 1.10.6.1 ===
--- Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py:1.10 Wed Aug 14 18:17:24 2002
+++ Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py Thu Jan 8 15:12:08 2004
@@ -18,19 +18,18 @@
__version__='$Revision$'[11:-2]
-from AccessControl import full_read_guard, full_write_guard, \
- safe_builtins, getSecurityManager
-from AccessControl.ZopeGuards import guarded_getattr, guarded_getitem
+from AccessControl import safe_builtins
+from AccessControl.ZopeGuards import guarded_getattr, get_safe_globals
from RestrictedPython import compile_restricted_eval
from TALES import CompilerError
from PythonExpr import PythonExpr
class PythonExpr(PythonExpr):
- _globals = {'__debug__': __debug__,
- '__builtins__': safe_builtins,
- '_getattr_': guarded_getattr,
- '_getitem_': guarded_getitem,}
+ _globals = get_safe_globals()
+ _globals['_getattr_'] = guarded_getattr
+ _globals['__debug__' ] = __debug__
+
def __init__(self, name, expr, engine):
self.expr = expr = expr.strip().replace('\n', ' ')
code, err, warn, use = compile_restricted_eval(expr, str(self))
From tseaver at zope.com Thu Jan 8 16:02:43 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Tree.py:1.6.6.10
Message-ID: <200401082102.i08L2hGZ006227@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv6197/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_6-branch
Tree.py
Log Message:
- The ZTUtils SimpleTree decompressed tree state data from the
request without checking for final size, which could allow for
certain types of DoS attacks.
=== Zope/lib/python/ZTUtils/Tree.py 1.6.6.9 => 1.6.6.10 ===
--- Zope/lib/python/ZTUtils/Tree.py:1.6.6.9 Tue Jul 15 13:05:47 2003
+++ Zope/lib/python/ZTUtils/Tree.py Thu Jan 8 16:02:35 2004
@@ -277,16 +277,19 @@
result = zresult
return result
-def decodeExpansion(s, nth=None):
+def decodeExpansion(s, nth=None, maxsize=8192):
'''Decode an expanded node map from a string.
If nth is an integer, also return the (map, key) pair for the nth entry.
'''
- if len(s) > 8192: # Set limit to 8K, to avoid DoS attacks.
+ if len(s) > maxsize: # Set limit to avoid DoS attacks.
raise ValueError('Encoded node map too large')
if s[0] == ':': # Compressed state
- s = zlib.decompress(a2b(s[1:]))
+ dec = zlib.decompressobj()
+ s = dec.decompress(a2b(s[1:]), maxsize)
+ if dec.decompress('', 1):
+ raise ValueError('Encoded node map too large')
map = m = {}
mstack = []
From tseaver at zope.com Thu Jan 8 16:13:15 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - SimpleTree.py:1.3.6.2
Message-ID: <200401082113.i08LDFLA008241@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv7712/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_6-branch
SimpleTree.py
Log Message:
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
See Collector #813 for other XSS-related rationale.
=== Zope/lib/python/ZTUtils/SimpleTree.py 1.3.6.1 => 1.3.6.2 ===
--- Zope/lib/python/ZTUtils/SimpleTree.py:1.3.6.1 Thu Oct 3 17:09:14 2002
+++ Zope/lib/python/ZTUtils/SimpleTree.py Thu Jan 8 16:13:14 2004
@@ -16,6 +16,7 @@
__version__='$Revision$'[11:-2]
from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
class SimpleTreeNode(TreeNode):
def branch(self):
@@ -35,9 +36,10 @@
obid = self.id
pre = self.aq_acquire('tree_pre')
- return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
- exnum, obid, obid),
- 'img': '' % (base, img, setst)}
+ return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+ (pre, setst[0], exnum, obid, obid),
+ 'img': '' % \
+ (escape(base, 1), img, setst)}
class SimpleTreeMaker(TreeMaker):
From tseaver at zope.com Thu Jan 8 18:34:22 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
Expressions.py:1.43.44.2 ZRPythonExpr.py:1.10.68.1
ZPythonExpr.py:NONE
Message-ID: <200401082334.i08NYLg0031931@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv30073/lib/python/Products/PageTemplates
Modified Files:
Tag: Zope-2_7-branch
Expressions.py ZRPythonExpr.py
Removed Files:
Tag: Zope-2_7-branch
ZPythonExpr.py
Log Message:
Merge security audit work for the 2.7 branch:
- Collector #1140: setting the access control implementation from
the configuration file didn't work. The ZOPE_SECURITY_POLICY
environment variable is no longer honored.
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
- FilteredSets (used within TopicIndex) are defined via an expression,
which was naievely eval'ed.
- The ZTUtils SimpleTree decompressed tree state data from the
request without checking for final size, which could allow for
certain types of DoS attacks.
- Inadequate security assertions on administrative "find" methods
could potentially be abused.
- Some improper security assertions on DTMLDocument objects could
potentially allow access to members that should be protected.
- Class security was not properly intialized for PythonScripts,
potentially allowing access to variables that should be protected.
It turned out that most of the security assertions were in fact
activated as a side effect of other code, but this fix is still
appropriate to ensure that all security declarations are properly
applied.
- The dtml-tree tag used an "eval" of user-supplied data; its
efforts to prevent abuse were ineffective.
- XML-RPC marshalling of class instances used the instance
__dict__ to marshal the object, and could include attributes
prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
- Some property types were stored in a mutable data type (list) which
could potentially allow untrusted code to effect changes on those
properties without going through appropriate security checks in
particular scenarios.
- Inadequate type checking could allow unicode values passed to
RESPONSE.write() to be passed into deeper layers of asyncore,
where an exception would eventually be generated at a level that
would cause the Zserver main loop to terminate.
- The variables bound to page templates and Python scripts such as
"context" and "container" were not checked adequately, allowing
a script to potentially access those objects without ensuring the
necessary permissions on the part of the executing user.
- Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
- List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
- Use of 'import as. in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
- A number of newer built-ins (min, max, enumerate, iter, sum)
were either unavailable in untrusted code or did not perform
adequate security checking.
- Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
- DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.43.44.1 => 1.43.44.2 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.43.44.1 Tue Nov 4 14:37:04 2003
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Thu Jan 8 18:33:49 2004
@@ -54,12 +54,7 @@
from AccessControl import Unauthorized
except ImportError:
Unauthorized = "Unauthorized"
- if hasattr(AccessControl, 'full_read_guard'):
- from ZRPythonExpr import PythonExpr, _SecureModuleImporter, \
- call_with_ns
- else:
- from ZPythonExpr import PythonExpr, _SecureModuleImporter, \
- call_with_ns
+ from ZRPythonExpr import PythonExpr, _SecureModuleImporter, call_with_ns
else:
from PythonExpr import getSecurityManager, PythonExpr
guarded_getattr = getattr
@@ -312,7 +307,7 @@
# Skip directly to item access
o = object[name]
# Check access to the item.
- if not validate(object, object, name, o):
+ if not validate(object, object, None, o):
raise Unauthorized, name
object = o
continue
@@ -367,7 +362,7 @@
raise
else:
# Check access to the item.
- if not validate(object, object, name, o):
+ if not validate(object, object, None, o):
raise Unauthorized, name
object = o
=== Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py 1.10 => 1.10.68.1 ===
--- Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py:1.10 Wed Aug 14 18:17:24 2002
+++ Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py Thu Jan 8 18:33:49 2004
@@ -18,19 +18,18 @@
__version__='$Revision$'[11:-2]
-from AccessControl import full_read_guard, full_write_guard, \
- safe_builtins, getSecurityManager
-from AccessControl.ZopeGuards import guarded_getattr, guarded_getitem
+from AccessControl import safe_builtins
+from AccessControl.ZopeGuards import guarded_getattr, get_safe_globals
from RestrictedPython import compile_restricted_eval
from TALES import CompilerError
from PythonExpr import PythonExpr
class PythonExpr(PythonExpr):
- _globals = {'__debug__': __debug__,
- '__builtins__': safe_builtins,
- '_getattr_': guarded_getattr,
- '_getitem_': guarded_getitem,}
+ _globals = get_safe_globals()
+ _globals['_getattr_'] = guarded_getattr
+ _globals['__debug__' ] = __debug__
+
def __init__(self, name, expr, engine):
self.expr = expr = expr.strip().replace('\n', ' ')
code, err, warn, use = compile_restricted_eval(expr, str(self))
=== Removed File Zope/lib/python/Products/PageTemplates/ZPythonExpr.py ===
From tseaver at zope.com Thu Jan 8 18:34:36 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils/tests - testTree.py:1.4.44.1
Message-ID: <200401082334.i08NYaac032069@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils/tests
In directory cvs.zope.org:/tmp/cvs-serv30073/lib/python/ZTUtils/tests
Modified Files:
Tag: Zope-2_7-branch
testTree.py
Log Message:
Merge security audit work for the 2.7 branch:
- Collector #1140: setting the access control implementation from
the configuration file didn't work. The ZOPE_SECURITY_POLICY
environment variable is no longer honored.
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
- FilteredSets (used within TopicIndex) are defined via an expression,
which was naievely eval'ed.
- The ZTUtils SimpleTree decompressed tree state data from the
request without checking for final size, which could allow for
certain types of DoS attacks.
- Inadequate security assertions on administrative "find" methods
could potentially be abused.
- Some improper security assertions on DTMLDocument objects could
potentially allow access to members that should be protected.
- Class security was not properly intialized for PythonScripts,
potentially allowing access to variables that should be protected.
It turned out that most of the security assertions were in fact
activated as a side effect of other code, but this fix is still
appropriate to ensure that all security declarations are properly
applied.
- The dtml-tree tag used an "eval" of user-supplied data; its
efforts to prevent abuse were ineffective.
- XML-RPC marshalling of class instances used the instance
__dict__ to marshal the object, and could include attributes
prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
- Some property types were stored in a mutable data type (list) which
could potentially allow untrusted code to effect changes on those
properties without going through appropriate security checks in
particular scenarios.
- Inadequate type checking could allow unicode values passed to
RESPONSE.write() to be passed into deeper layers of asyncore,
where an exception would eventually be generated at a level that
would cause the Zserver main loop to terminate.
- The variables bound to page templates and Python scripts such as
"context" and "container" were not checked adequately, allowing
a script to potentially access those objects without ensuring the
necessary permissions on the part of the executing user.
- Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
- List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
- Use of 'import as. in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
- A number of newer built-ins (min, max, enumerate, iter, sum)
were either unavailable in untrusted code or did not perform
adequate security checking.
- Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
- DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
=== Zope/lib/python/ZTUtils/tests/testTree.py 1.4 => 1.4.44.1 ===
--- Zope/lib/python/ZTUtils/tests/testTree.py:1.4 Sat Oct 5 17:24:03 2002
+++ Zope/lib/python/ZTUtils/tests/testTree.py Thu Jan 8 18:34:04 2004
@@ -207,6 +207,16 @@
self.assertEqual(treeroot1.size, treeroot2.size)
self.assertEqual(len(treeroot1), len(treeroot2))
+
+ def testDecodeInputSizeLimit(self):
+ self.assertRaises(ValueError, Tree.decodeExpansion, 'x' * 10000)
+
+ def testDecodeDecompressedSizeLimit(self):
+ import zlib
+ from ZTUtils.Tree import b2a, a2b, encodeExpansion, decodeExpansion
+ big = b2a(zlib.compress('x' * (1024*1100)))
+ self.assert_(len(big) < 8192) # Must be under the input size limit
+ self.assertRaises(ValueError, Tree.decodeExpansion, ':' + big)
def test_suite():
From tseaver at zope.com Thu Jan 8 18:34:35 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - SimpleTree.py:1.4.42.1
Tree.py:1.15.2.4 Zope.py:1.11.42.3
Message-ID: <200401082334.i08NYZm4032051@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv30073/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_7-branch
SimpleTree.py Tree.py Zope.py
Log Message:
Merge security audit work for the 2.7 branch:
- Collector #1140: setting the access control implementation from
the configuration file didn't work. The ZOPE_SECURITY_POLICY
environment variable is no longer honored.
- Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
- FilteredSets (used within TopicIndex) are defined via an expression,
which was naievely eval'ed.
- The ZTUtils SimpleTree decompressed tree state data from the
request without checking for final size, which could allow for
certain types of DoS attacks.
- Inadequate security assertions on administrative "find" methods
could potentially be abused.
- Some improper security assertions on DTMLDocument objects could
potentially allow access to members that should be protected.
- Class security was not properly intialized for PythonScripts,
potentially allowing access to variables that should be protected.
It turned out that most of the security assertions were in fact
activated as a side effect of other code, but this fix is still
appropriate to ensure that all security declarations are properly
applied.
- The dtml-tree tag used an "eval" of user-supplied data; its
efforts to prevent abuse were ineffective.
- XML-RPC marshalling of class instances used the instance
__dict__ to marshal the object, and could include attributes
prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
- Some property types were stored in a mutable data type (list) which
could potentially allow untrusted code to effect changes on those
properties without going through appropriate security checks in
particular scenarios.
- Inadequate type checking could allow unicode values passed to
RESPONSE.write() to be passed into deeper layers of asyncore,
where an exception would eventually be generated at a level that
would cause the Zserver main loop to terminate.
- The variables bound to page templates and Python scripts such as
"context" and "container" were not checked adequately, allowing
a script to potentially access those objects without ensuring the
necessary permissions on the part of the executing user.
- Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
- List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
- Use of 'import as. in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
- A number of newer built-ins (min, max, enumerate, iter, sum)
were either unavailable in untrusted code or did not perform
adequate security checking.
- Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
- DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
=== Zope/lib/python/ZTUtils/SimpleTree.py 1.4 => 1.4.42.1 ===
--- Zope/lib/python/ZTUtils/SimpleTree.py:1.4 Thu Oct 3 17:08:40 2002
+++ Zope/lib/python/ZTUtils/SimpleTree.py Thu Jan 8 18:34:03 2004
@@ -16,6 +16,7 @@
__version__='$Revision$'[11:-2]
from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
class SimpleTreeNode(TreeNode):
def branch(self):
@@ -35,9 +36,10 @@
obid = self.id
pre = self.aq_acquire('tree_pre')
- return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
- exnum, obid, obid),
- 'img': '' % (base, img, setst)}
+ return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+ (pre, setst[0], exnum, obid, obid),
+ 'img': '' % \
+ (escape(base, 1), img, setst)}
class SimpleTreeMaker(TreeMaker):
=== Zope/lib/python/ZTUtils/Tree.py 1.15.2.3 => 1.15.2.4 ===
--- Zope/lib/python/ZTUtils/Tree.py:1.15.2.3 Thu Dec 11 13:03:56 2003
+++ Zope/lib/python/ZTUtils/Tree.py Thu Jan 8 18:34:03 2004
@@ -220,7 +220,7 @@
type(0L):1, type(None):1 }.has_key):
return is_simple(type(ob))
-from binascii import b2a_base64, a2b_base64
+import base64
from string import translate, maketrans
import zlib
@@ -232,23 +232,11 @@
Encoded string use only alpahnumeric characters, and "._-".
'''
- s = str(s)
- if len(s) <= 57:
- return translate(b2a_base64(s)[:-1], a2u_map)
- frags = []
- for i in range(0, len(s), 57):
- frags.append(b2a_base64(s[i:i + 57])[:-1])
- return translate(''.join(frags), a2u_map)
+ return translate(base64.encodestring(str(s)), a2u_map)
def a2b(s):
'''Decode a b2a-encoded string.'''
- s = translate(s, u2a_map)
- if len(s) <= 76:
- return a2b_base64(s)
- frags = []
- for i in range(0, len(s), 76):
- frags.append(a2b_base64(s[i:i + 76]))
- return ''.join(frags)
+ return base64.decodestring(translate(s, u2a_map))
def encodeExpansion(nodes, compress=1):
'''Encode the expanded node ids of a tree into a string.
@@ -288,8 +276,9 @@
if s[0] == ':': # Compressed state
dec = zlib.decompressobj()
s = dec.decompress(a2b(s[1:]), maxsize)
- if dec.decompress('', 1):
+ if dec.unconsumed_tail:
raise ValueError('Encoded node map too large')
+ del dec
map = m = {}
mstack = []
=== Zope/lib/python/ZTUtils/Zope.py 1.11.42.2 => 1.11.42.3 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.11.42.2 Fri Oct 24 16:13:36 2003
+++ Zope/lib/python/ZTUtils/Zope.py Thu Jan 8 18:34:04 2004
@@ -30,7 +30,7 @@
Unauthorized = 'Unauthorized'
def guarded_getitem(object, index):
v = object[index]
- if getSecurityManager().validate(object, object, index, v):
+ if getSecurityManager().validate(object, object, None, v):
return v
raise Unauthorized, 'unauthorized access to element %s' % `i`
else:
From tseaver at zope.com Thu Jan 15 18:00:23 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils/tests - testTree.py:1.5
Message-ID: <200401152300.i0FN0Nuu023098@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils/tests
In directory cvs.zope.org:/tmp/cvs-serv22749/tests
Modified Files:
testTree.py
Log Message:
- SimpleTree.py: CGI escapes (merged from 2.6 / 2.7 audit).
- Tree.py: prevent DoS agains tree state cookie decompression (merged
from 2.6 / 2.7 audit).
=== Zope/lib/python/ZTUtils/tests/testTree.py 1.4 => 1.5 ===
--- Zope/lib/python/ZTUtils/tests/testTree.py:1.4 Sat Oct 5 17:24:03 2002
+++ Zope/lib/python/ZTUtils/tests/testTree.py Thu Jan 15 18:00:17 2004
@@ -207,6 +207,16 @@
self.assertEqual(treeroot1.size, treeroot2.size)
self.assertEqual(len(treeroot1), len(treeroot2))
+
+ def testDecodeInputSizeLimit(self):
+ self.assertRaises(ValueError, Tree.decodeExpansion, 'x' * 10000)
+
+ def testDecodeDecompressedSizeLimit(self):
+ import zlib
+ from ZTUtils.Tree import b2a, a2b, encodeExpansion, decodeExpansion
+ big = b2a(zlib.compress('x' * (1024*1100)))
+ self.assert_(len(big) < 8192) # Must be under the input size limit
+ self.assertRaises(ValueError, Tree.decodeExpansion, ':' + big)
def test_suite():
From tseaver at zope.com Thu Jan 15 18:00:48 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:19 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - SimpleTree.py:1.5
Tree.py:1.18
Message-ID: <200401152300.i0FN0maE023135@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv22749
Modified Files:
SimpleTree.py Tree.py
Log Message:
- SimpleTree.py: CGI escapes (merged from 2.6 / 2.7 audit).
- Tree.py: prevent DoS agains tree state cookie decompression (merged
from 2.6 / 2.7 audit).
=== Zope/lib/python/ZTUtils/SimpleTree.py 1.4 => 1.5 ===
--- Zope/lib/python/ZTUtils/SimpleTree.py:1.4 Thu Oct 3 17:08:40 2002
+++ Zope/lib/python/ZTUtils/SimpleTree.py Thu Jan 15 18:00:17 2004
@@ -16,6 +16,7 @@
__version__='$Revision$'[11:-2]
from Tree import TreeMaker, TreeNode, b2a
+from cgi import escape
class SimpleTreeNode(TreeNode):
def branch(self):
@@ -35,9 +36,10 @@
obid = self.id
pre = self.aq_acquire('tree_pre')
- return {'link': '?%s-setstate=%s,%s,%s#%s' % (pre, setst[0],
- exnum, obid, obid),
- 'img': '' % (base, img, setst)}
+ return {'link': '?%s-setstate=%s,%s,%s#%s' % \
+ (pre, setst[0], exnum, obid, obid),
+ 'img': '' % \
+ (escape(base, 1), img, setst)}
class SimpleTreeMaker(TreeMaker):
=== Zope/lib/python/ZTUtils/Tree.py 1.17 => 1.18 ===
--- Zope/lib/python/ZTUtils/Tree.py:1.17 Thu Dec 11 13:02:15 2003
+++ Zope/lib/python/ZTUtils/Tree.py Thu Jan 15 18:00:17 2004
@@ -220,7 +220,7 @@
type(0L):1, type(None):1 }.has_key):
return is_simple(type(ob))
-from binascii import b2a_base64, a2b_base64
+import base64
from string import translate, maketrans
import zlib
@@ -232,23 +232,11 @@
Encoded string use only alpahnumeric characters, and "._-".
'''
- s = str(s)
- if len(s) <= 57:
- return translate(b2a_base64(s)[:-1], a2u_map)
- frags = []
- for i in range(0, len(s), 57):
- frags.append(b2a_base64(s[i:i + 57])[:-1])
- return translate(''.join(frags), a2u_map)
+ return translate(base64.encodestring(str(s)), a2u_map)
def a2b(s):
'''Decode a b2a-encoded string.'''
- s = translate(s, u2a_map)
- if len(s) <= 76:
- return a2b_base64(s)
- frags = []
- for i in range(0, len(s), 76):
- frags.append(a2b_base64(s[i:i + 76]))
- return ''.join(frags)
+ return base64.decodestring(translate(s, u2a_map))
def encodeExpansion(nodes, compress=1):
'''Encode the expanded node ids of a tree into a string.
@@ -288,8 +276,9 @@
if s[0] == ':': # Compressed state
dec = zlib.decompressobj()
s = dec.decompress(a2b(s[1:]), maxsize)
- if dec.decompress('', 1):
+ if dec.unconsumed_tail:
raise ValueError('Encoded node map too large')
+ del dec
map = m = {}
mstack = []
From tseaver at zope.com Thu Jan 15 18:09:38 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
Expressions.py:1.45 ZRPythonExpr.py:1.11
Message-ID: <200401152309.i0FN9cio024972@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv24317/Products/PageTemplates
Modified Files:
Expressions.py ZRPythonExpr.py
Log Message:
- Merge a number of entangled issues from 2.6 / 2.7 audit:
Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
Use of "import as" in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
A number of newer built-ins were either unavailable in untrusted
code or did not perform adequate security checking.
Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
Class security was not properly intialized for PythonScripts,
potentially allowing access to variables that should be protected.
It turned out that most of the security assertions were in fact
activated as a side effect of other code, but this fix is still
appropriate to ensure that all security declarations are properly
applied.
DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.44 => 1.45 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.44 Tue Nov 4 14:36:05 2003
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Thu Jan 15 18:09:06 2004
@@ -54,12 +54,7 @@
from AccessControl import Unauthorized
except ImportError:
Unauthorized = "Unauthorized"
- if hasattr(AccessControl, 'full_read_guard'):
- from ZRPythonExpr import PythonExpr, _SecureModuleImporter, \
- call_with_ns
- else:
- from ZPythonExpr import PythonExpr, _SecureModuleImporter, \
- call_with_ns
+ from ZRPythonExpr import PythonExpr, _SecureModuleImporter, call_with_ns
else:
from PythonExpr import getSecurityManager, PythonExpr
guarded_getattr = getattr
@@ -312,7 +307,7 @@
# Skip directly to item access
o = object[name]
# Check access to the item.
- if not validate(object, object, name, o):
+ if not validate(object, object, None, o):
raise Unauthorized, name
object = o
continue
@@ -367,7 +362,7 @@
raise
else:
# Check access to the item.
- if not validate(object, object, name, o):
+ if not validate(object, object, None, o):
raise Unauthorized, name
object = o
=== Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py 1.10 => 1.11 ===
--- Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py:1.10 Wed Aug 14 18:17:24 2002
+++ Zope/lib/python/Products/PageTemplates/ZRPythonExpr.py Thu Jan 15 18:09:06 2004
@@ -18,19 +18,18 @@
__version__='$Revision$'[11:-2]
-from AccessControl import full_read_guard, full_write_guard, \
- safe_builtins, getSecurityManager
-from AccessControl.ZopeGuards import guarded_getattr, guarded_getitem
+from AccessControl import safe_builtins
+from AccessControl.ZopeGuards import guarded_getattr, get_safe_globals
from RestrictedPython import compile_restricted_eval
from TALES import CompilerError
from PythonExpr import PythonExpr
class PythonExpr(PythonExpr):
- _globals = {'__debug__': __debug__,
- '__builtins__': safe_builtins,
- '_getattr_': guarded_getattr,
- '_getitem_': guarded_getitem,}
+ _globals = get_safe_globals()
+ _globals['_getattr_'] = guarded_getattr
+ _globals['__debug__' ] = __debug__
+
def __init__(self, name, expr, engine):
self.expr = expr = expr.strip().replace('\n', ' ')
code, err, warn, use = compile_restricted_eval(expr, str(self))
From jim at zope.com Fri Jan 16 15:22:39 2004
From: jim at zope.com (Jim Fulton)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.11.42.3.2.1
Message-ID: <200401162022.i0GKMda7005196@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv5145/lib/python/ZTUtils
Modified Files:
Tag: caz_dict_list_redo
Zope.py
Log Message:
Reverted a change that suppressed passing names to validate when doing
item access.
=== Zope/lib/python/ZTUtils/Zope.py 1.11.42.3 => 1.11.42.3.2.1 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.11.42.3 Thu Jan 8 18:34:04 2004
+++ Zope/lib/python/ZTUtils/Zope.py Fri Jan 16 15:22:37 2004
@@ -30,7 +30,7 @@
Unauthorized = 'Unauthorized'
def guarded_getitem(object, index):
v = object[index]
- if getSecurityManager().validate(object, object, None, v):
+ if getSecurityManager().validate(object, object, index, v):
return v
raise Unauthorized, 'unauthorized access to element %s' % `i`
else:
From jim at zope.com Fri Jan 16 15:23:09 2004
From: jim at zope.com (Jim Fulton)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
Expressions.py:1.43.44.2.2.1
Message-ID: <200401162023.i0GKN9ke005403@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv5145/lib/python/Products/PageTemplates
Modified Files:
Tag: caz_dict_list_redo
Expressions.py
Log Message:
Reverted a change that suppressed passing names to validate when doing
item access.
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.43.44.2 => 1.43.44.2.2.1 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.43.44.2 Thu Jan 8 18:33:49 2004
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Fri Jan 16 15:22:37 2004
@@ -307,7 +307,7 @@
# Skip directly to item access
o = object[name]
# Check access to the item.
- if not validate(object, object, None, o):
+ if not validate(object, object, name, o):
raise Unauthorized, name
object = o
continue
@@ -362,7 +362,7 @@
raise
else:
# Check access to the item.
- if not validate(object, object, None, o):
+ if not validate(object, object, name, o):
raise Unauthorized, name
object = o
From jim at zope.com Fri Jan 16 16:05:28 2004
From: jim at zope.com (Jim Fulton)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.11.42.4
Message-ID: <200401162105.i0GL5S9P017609@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv17159/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_7-branch
Zope.py
Log Message:
Reverted a change that suppressed passing names to validate when doing
item access.
=== Zope/lib/python/ZTUtils/Zope.py 1.11.42.3 => 1.11.42.4 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.11.42.3 Thu Jan 8 18:34:04 2004
+++ Zope/lib/python/ZTUtils/Zope.py Fri Jan 16 16:05:01 2004
@@ -30,7 +30,7 @@
Unauthorized = 'Unauthorized'
def guarded_getitem(object, index):
v = object[index]
- if getSecurityManager().validate(object, object, None, v):
+ if getSecurityManager().validate(object, object, index, v):
return v
raise Unauthorized, 'unauthorized access to element %s' % `i`
else:
From jim at zope.com Fri Jan 16 16:05:38 2004
From: jim at zope.com (Jim Fulton)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
Expressions.py:1.43.44.3
Message-ID: <200401162105.i0GL5cvq017649@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv17159/lib/python/Products/PageTemplates
Modified Files:
Tag: Zope-2_7-branch
Expressions.py
Log Message:
Reverted a change that suppressed passing names to validate when doing
item access.
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.43.44.2 => 1.43.44.3 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.43.44.2 Thu Jan 8 18:33:49 2004
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Fri Jan 16 16:05:01 2004
@@ -307,7 +307,7 @@
# Skip directly to item access
o = object[name]
# Check access to the item.
- if not validate(object, object, None, o):
+ if not validate(object, object, name, o):
raise Unauthorized, name
object = o
continue
@@ -362,7 +362,7 @@
raise
else:
# Check access to the item.
- if not validate(object, object, None, o):
+ if not validate(object, object, name, o):
raise Unauthorized, name
object = o
From jim at zope.com Mon Jan 19 13:54:12 2004
From: jim at zope.com (Jim Fulton)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
Expressions.py:1.36.6.11
Message-ID: <200401191854.i0JIsCa1004076@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv4014/lib/python/Products/PageTemplates
Modified Files:
Tag: Zope-2_6-branch
Expressions.py
Log Message:
Collector #1182: Functions for handling decisions about
unprotected subobjects were not passed "names" when doing
unnamed (item) access. In 2.6.3 we changed access checks when
doing item access to pass None rather than the key value when
validating access. This broke some existing applications. We
have reverted these changes.
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.36.6.10 => 1.36.6.11 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.36.6.10 Thu Jan 8 15:12:08 2004
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Mon Jan 19 13:54:11 2004
@@ -308,7 +308,7 @@
# Skip directly to item access
o = object[name]
# Check access to the item.
- if not validate(object, object, None, o):
+ if not validate(object, object, name, o):
raise Unauthorized, name
object = o
continue
@@ -363,7 +363,7 @@
raise
else:
# Check access to the item.
- if not validate(object, object, None, o):
+ if not validate(object, object, name, o):
raise Unauthorized, name
object = o
From brian at zope.com Mon Jan 26 11:20:16 2004
From: brian at zope.com (Brian Lloyd)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.10.6.3
Message-ID: <200401261620.i0QGKG1Z008631@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv8601/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_6-branch
Zope.py
Log Message:
fix collector 1203
=== Zope/lib/python/ZTUtils/Zope.py 1.10.6.2 => 1.10.6.3 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.10.6.2 Thu Jan 8 15:12:12 2004
+++ Zope/lib/python/ZTUtils/Zope.py Mon Jan 26 11:20:14 2004
@@ -26,6 +26,11 @@
from AccessControl.ZopeGuards import guarded_getitem
from AccessControl import Unauthorized
+try:
+ from types import BooleanType
+except ImportError:
+ BooleanType = None
+
class LazyFilter(Lazy):
# A LazyFilter that checks with the security policy
@@ -244,6 +249,8 @@
def simple_marshal(v):
if isinstance(v, StringType):
return ''
+ if BooleanType and isinstance(v, BooleanType):
+ return ':boolean'
if isinstance(v, IntType):
return ':int'
if isinstance(v, FloatType):
From fred at zope.com Mon Jan 26 11:47:08 2004
From: fred at zope.com (Fred L. Drake, Jr.)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.10.6.4
Message-ID: <200401261647.i0QGl8F1013215@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv13196
Modified Files:
Tag: Zope-2_6-branch
Zope.py
Log Message:
types don't have a guaranteed truth value, so check that it isn't None
=== Zope/lib/python/ZTUtils/Zope.py 1.10.6.3 => 1.10.6.4 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.10.6.3 Mon Jan 26 11:20:14 2004
+++ Zope/lib/python/ZTUtils/Zope.py Mon Jan 26 11:47:06 2004
@@ -249,7 +249,7 @@
def simple_marshal(v):
if isinstance(v, StringType):
return ''
- if BooleanType and isinstance(v, BooleanType):
+ if BooleanType is not None and isinstance(v, BooleanType):
return ':boolean'
if isinstance(v, IntType):
return ':int'
From tseaver at zope.com Mon Jan 26 13:15:46 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/Products/PageTemplates -
PageTemplateFile.py:1.20.2.3
Message-ID: <200401261815.i0QIFkW4032264@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv31220/lib/python/Products/PageTemplates
Modified Files:
Tag: Zope-2_6-branch
PageTemplateFile.py
Log Message:
Fix breakage in tests
- AccessControl/Owned.py:
o Expand API to include explicit methods for retrieving the
"owner tuple" and the "wrapped owner".
o Deprecate the 'getOwner(1)' wart.
o Add tests.
- AccessControl/ZopeSecurityPolicy.py:
o For the Python version of validate, use the new 'getWrappedOwner'
API, rather than painfully reconstructing it ourselves. Also, skip
tests for acquisition trickery if the container is not a wrapper
(should repair breakage in DCWorkflow scripts w/ proxy roles).
o XXX: Note that cAccessControl needs to follow suit!
- App/special_dtml.py, Products/PageTemplates/PageTemplateFile.py:
o Implement the new Owned API.
=== Zope/lib/python/Products/PageTemplates/PageTemplateFile.py 1.20.2.2 => 1.20.2.3 ===
--- Zope/lib/python/Products/PageTemplates/PageTemplateFile.py:1.20.2.2 Mon Oct 14 18:33:57 2002
+++ Zope/lib/python/Products/PageTemplates/PageTemplateFile.py Mon Jan 26 13:15:43 2004
@@ -148,6 +148,12 @@
"""
return None
+ def getOwnerTuple(self):
+ return None
+
+ def getWrappedOwner(self):
+ return None
+
def __getstate__(self):
from ZODB.POSException import StorageError
raise StorageError, ("Instance of AntiPersistent class %s "
From tseaver at zope.com Tue Jan 27 09:28:51 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.11.42.5
Message-ID: <200401271428.i0RESpLp031868@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv31849/lib/python/ZTUtils
Modified Files:
Tag: Zope-2_7-branch
Zope.py
Log Message:
- Remove buglet introduced by unneeded backwards compatibility.
=== Zope/lib/python/ZTUtils/Zope.py 1.11.42.4 => 1.11.42.5 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.11.42.4 Fri Jan 16 16:05:01 2004
+++ Zope/lib/python/ZTUtils/Zope.py Tue Jan 27 09:28:50 2004
@@ -36,11 +36,7 @@
else:
from AccessControl import Unauthorized
-# Support pre-Python 2.3 :-(
-try:
- from types import BooleanType
-except ImportError:
- BooleanType = None
+from types import BooleanType
class LazyFilter(Lazy):
# A LazyFilter that checks with the security policy
@@ -261,7 +257,7 @@
def simple_marshal(v):
if isinstance(v, StringType):
return ''
- if BooleanType and isinstance(v, BooleanType):
+ if isinstance(v, BooleanType):
return ':boolean'
if isinstance(v, IntType):
return ':int'
From tseaver at zope.com Tue Jan 27 09:39:35 2004
From: tseaver at zope.com (Tres Seaver)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.14
Message-ID: <200401271439.i0REdZj9001977@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv1958/lib/python/ZTUtils
Modified Files:
Zope.py
Log Message:
- Remove buglet introduced by unneeded backwards compatibility.
=== Zope/lib/python/ZTUtils/Zope.py 1.13 => 1.14 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.13 Fri Oct 24 16:16:08 2003
+++ Zope/lib/python/ZTUtils/Zope.py Tue Jan 27 09:39:34 2004
@@ -36,11 +36,7 @@
else:
from AccessControl import Unauthorized
-# Support pre-Python 2.3 :-(
-try:
- from types import BooleanType
-except ImportError:
- BooleanType = None
+from types import BooleanType
class LazyFilter(Lazy):
# A LazyFilter that checks with the security policy
@@ -261,7 +257,7 @@
def simple_marshal(v):
if isinstance(v, StringType):
return ''
- if BooleanType and isinstance(v, BooleanType):
+ if isinstance(v, BooleanType):
return ':boolean'
if isinstance(v, IntType):
return ':int'
From fred at zope.com Tue Jan 27 10:45:36 2004
From: fred at zope.com (Fred L. Drake, Jr.)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.11.42.6
Message-ID: <200401271545.i0RFjae7016058@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv16039
Modified Files:
Tag: Zope-2_7-branch
Zope.py
Log Message:
change port of the fix for collector issue 1203:
Python 2.3.3 doesn't need to import the types module here anymore
=== Zope/lib/python/ZTUtils/Zope.py 1.11.42.5 => 1.11.42.6 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.11.42.5 Tue Jan 27 09:28:50 2004
+++ Zope/lib/python/ZTUtils/Zope.py Tue Jan 27 10:45:35 2004
@@ -21,7 +21,6 @@
from Batch import Batch
from Products.ZCatalog.Lazy import Lazy
from AccessControl import getSecurityManager
-from types import StringType, ListType, IntType, FloatType
from DateTime import DateTime
try:
@@ -36,7 +35,6 @@
else:
from AccessControl import Unauthorized
-from types import BooleanType
class LazyFilter(Lazy):
# A LazyFilter that checks with the security policy
@@ -233,14 +231,14 @@
k, v = pairs[i]
m = ''
sublist = None
- if isinstance(v, StringType):
+ if isinstance(v, str):
pass
elif hasattr(v, 'items'):
sublist = []
for sk, sv in v.items():
sm = simple_marshal(sv)
sublist.append(('%s.%s' % (k, sk), '%s:record' % sm, sv))
- elif isinstance(v, ListType):
+ elif isinstance(v, list):
sublist = []
for sv in v:
sm = simple_marshal(sv)
@@ -255,13 +253,13 @@
return pairs
def simple_marshal(v):
- if isinstance(v, StringType):
+ if isinstance(v, str):
return ''
- if isinstance(v, BooleanType):
+ if isinstance(v, bool):
return ':boolean'
- if isinstance(v, IntType):
+ if isinstance(v, int):
return ':int'
- if isinstance(v, FloatType):
+ if isinstance(v, float):
return ':float'
if isinstance(v, DateTime):
return ':date'
@@ -283,7 +281,7 @@
if qs and omit:
qsparts = qs.split('&')
- if isinstance(omit, StringType):
+ if isinstance(omit, str):
omits = {omit: None}
else:
omits = {}
From fred at zope.com Tue Jan 27 10:47:06 2004
From: fred at zope.com (Fred L. Drake, Jr.)
Date: Sun Aug 10 17:05:20 2008
Subject: [ZPT-CVS] CVS: Zope/lib/python/ZTUtils - Zope.py:1.15
Message-ID: <200401271547.i0RFl6TG016466@cvs.zope.org>
Update of /cvs-repository/Zope/lib/python/ZTUtils
In directory cvs.zope.org:/tmp/cvs-serv16331
Modified Files:
Zope.py
Log Message:
change port of the fix for collector issue 1203:
Python 2.3.3 doesn't need to import the types module here anymore
=== Zope/lib/python/ZTUtils/Zope.py 1.14 => 1.15 ===
--- Zope/lib/python/ZTUtils/Zope.py:1.14 Tue Jan 27 09:39:34 2004
+++ Zope/lib/python/ZTUtils/Zope.py Tue Jan 27 10:47:02 2004
@@ -21,7 +21,6 @@
from Batch import Batch
from Products.ZCatalog.Lazy import Lazy
from AccessControl import getSecurityManager
-from types import StringType, ListType, IntType, FloatType
from DateTime import DateTime
try:
@@ -36,7 +35,6 @@
else:
from AccessControl import Unauthorized
-from types import BooleanType
class LazyFilter(Lazy):
# A LazyFilter that checks with the security policy
@@ -233,14 +231,14 @@
k, v = pairs[i]
m = ''
sublist = None
- if isinstance(v, StringType):
+ if isinstance(v, str):
pass
elif hasattr(v, 'items'):
sublist = []
for sk, sv in v.items():
sm = simple_marshal(sv)
sublist.append(('%s.%s' % (k, sk), '%s:record' % sm, sv))
- elif isinstance(v, ListType):
+ elif isinstance(v, list):
sublist = []
for sv in v:
sm = simple_marshal(sv)
@@ -255,13 +253,13 @@
return pairs
def simple_marshal(v):
- if isinstance(v, StringType):
+ if isinstance(v, str):
return ''
- if isinstance(v, BooleanType):
+ if isinstance(v, bool):
return ':boolean'
- if isinstance(v, IntType):
+ if isinstance(v, int):
return ':int'
- if isinstance(v, FloatType):
+ if isinstance(v, float):
return ':float'
if isinstance(v, DateTime):
return ':date'
@@ -283,7 +281,7 @@
if qs and omit:
qsparts = qs.split('&')
- if isinstance(omit, StringType):
+ if isinstance(omit, str):
omits = {omit: None}
else:
omits = {}