[Checkins] SVN: grok/trunk/src/grok/ - fixed security in templates
and views by removing proxies
Christian Theune
ct at gocept.com
Tue Oct 17 18:18:36 EDT 2006
Log message for revision 70766:
- fixed security in templates and views by removing proxies
Changed:
U grok/trunk/src/grok/_grok.py
U grok/trunk/src/grok/ftests/view/index.py
-=-
Modified: grok/trunk/src/grok/_grok.py
===================================================================
--- grok/trunk/src/grok/_grok.py 2006-10-17 21:17:42 UTC (rev 70765)
+++ grok/trunk/src/grok/_grok.py 2006-10-17 22:18:36 UTC (rev 70766)
@@ -19,6 +19,7 @@
import persistent
from zope import component
from zope import interface
+from zope.proxy import removeAllProxies
from zope.dottedname.resolve import resolve
import zope.component.interface
from zope.component.interfaces import IDefaultViewName
@@ -55,6 +56,10 @@
class View(BrowserPage):
+ def __init__(self, context, request):
+ self.context = removeAllProxies(context)
+ self.request = removeAllProxies(request)
+
def __call__(self):
self.before()
@@ -64,8 +69,9 @@
namespace = template.pt_getContext()
namespace['request'] = self.request
+ # Jim would say: WAAAAAAAAAAAAH!
namespace['view'] = self
- namespace['context'] = self.context
+ namespace['context'] = removeAllProxies(self.context)
module_info = template.__grok_module_info__
directory_resource = component.queryAdapter(self.request,
Modified: grok/trunk/src/grok/ftests/view/index.py
===================================================================
--- grok/trunk/src/grok/ftests/view/index.py 2006-10-17 21:17:42 UTC (rev 70765)
+++ grok/trunk/src/grok/ftests/view/index.py 2006-10-17 22:18:36 UTC (rev 70766)
@@ -12,6 +12,8 @@
<html>
<body>
<h1>Hello, world!</h1>
+ <span>Blue</span>
+ <span>Blue</span>
</body>
</html>
@@ -19,12 +21,14 @@
import grok
class Mammoth(grok.Model):
- pass
+ teeth = u"Blue"
index = grok.PageTemplate("""\
<html>
<body>
<h1>Hello, world!</h1>
+<span tal:content="python:context.teeth">green</span>
+<span tal:content="context/teeth">green</span>
</body>
</html>
""")
More information about the Checkins
mailing list