[Checkins] SVN: grok/trunk/src/grok/ - fixed security in templates and views by removing proxies

Christian Theune ct at gocept.com
Tue Oct 17 18:18:36 EDT 2006 

Log message for revision 70766:
   - fixed security in templates and views by removing proxies
  

Changed:
  U   grok/trunk/src/grok/_grok.py
  U   grok/trunk/src/grok/ftests/view/index.py

-=-
Modified: grok/trunk/src/grok/_grok.py
===================================================================
--- grok/trunk/src/grok/_grok.py	2006-10-17 21:17:42 UTC (rev 70765)
+++ grok/trunk/src/grok/_grok.py	2006-10-17 22:18:36 UTC (rev 70766)
@@ -19,6 +19,7 @@
 import persistent
 from zope import component
 from zope import interface
+from zope.proxy import removeAllProxies
 from zope.dottedname.resolve import resolve
 import zope.component.interface
 from zope.component.interfaces import IDefaultViewName
@@ -55,6 +56,10 @@
 
 class View(BrowserPage):
 
+    def __init__(self, context, request):
+        self.context = removeAllProxies(context)
+        self.request = removeAllProxies(request)
+
     def __call__(self):
         self.before()
 
@@ -64,8 +69,9 @@
 
         namespace = template.pt_getContext()
         namespace['request'] = self.request
+        # Jim would say: WAAAAAAAAAAAAH!
         namespace['view'] = self
-        namespace['context'] = self.context
+        namespace['context'] = removeAllProxies(self.context)
 
         module_info = template.__grok_module_info__
         directory_resource = component.queryAdapter(self.request,

Modified: grok/trunk/src/grok/ftests/view/index.py
===================================================================
--- grok/trunk/src/grok/ftests/view/index.py	2006-10-17 21:17:42 UTC (rev 70765)
+++ grok/trunk/src/grok/ftests/view/index.py	2006-10-17 22:18:36 UTC (rev 70766)
@@ -12,6 +12,8 @@
   <html>
   <body>
   <h1>Hello, world!</h1>
+  <span>Blue</span>
+  <span>Blue</span>
   </body>
   </html>
 
@@ -19,12 +21,14 @@
 import grok
 
 class Mammoth(grok.Model):
-    pass
+    teeth = u"Blue"
 
 index = grok.PageTemplate("""\
 <html>
 <body>
 <h1>Hello, world!</h1>
+<span tal:content="python:context.teeth">green</span>
+<span tal:content="context/teeth">green</span>
 </body>
 </html>
 """)

More information about the Checkins mailing list