[Checkins] SVN: z3c.dav/trunk/src/z3c/dav/ Check for situations
where the namespace of a requested property is an empty
Michael Kerrin
michael.kerrin at openapp.ie
Tue Jul 3 13:56:17 EDT 2007
Log message for revision 77372:
Check for situations where the namespace of a requested property is an empty
string and raise a BadRequest when this happens.
Changed:
U z3c.dav/trunk/src/z3c/dav/propfind.py
U z3c.dav/trunk/src/z3c/dav/proppatch.py
U z3c.dav/trunk/src/z3c/dav/tests/test_propfind.py
U z3c.dav/trunk/src/z3c/dav/tests/test_proppatch.py
-=-
Modified: z3c.dav/trunk/src/z3c/dav/propfind.py
===================================================================
--- z3c.dav/trunk/src/z3c/dav/propfind.py 2007-07-03 17:51:06 UTC (rev 77371)
+++ z3c.dav/trunk/src/z3c/dav/propfind.py 2007-07-03 17:56:17 UTC (rev 77372)
@@ -98,7 +98,6 @@
extraArg = includes[0]
elif properties.tag == "{DAV:}prop":
if len(properties) == 0:
- ## XXX - does this code correspond to the protocol.
propertiesFactory = self.renderAllProperties
else:
propertiesFactory = self.renderSelectedProperties
@@ -242,6 +241,13 @@
z3c.dav.utils.getObjectURL(ob, req))
for prop in props:
+ if z3c.dav.utils.parseEtreeTag(prop.tag)[0] == "":
+ # A namespace which is None corresponds to when no prefix is
+ # set, which I think is fine.
+ raise z3c.dav.interfaces.BadRequest(
+ self.request,
+ u"PROPFIND with invalid namespace declaration in body")
+
try:
davprop, adapter = z3c.dav.properties.getProperty(
ob, req, prop.tag, exists = True)
Modified: z3c.dav/trunk/src/z3c/dav/proppatch.py
===================================================================
--- z3c.dav/trunk/src/z3c/dav/proppatch.py 2007-07-03 17:51:06 UTC (rev 77371)
+++ z3c.dav/trunk/src/z3c/dav/proppatch.py 2007-07-03 17:56:17 UTC (rev 77372)
@@ -76,6 +76,13 @@
props = props[0]
for prop in props:
+ if z3c.dav.utils.parseEtreeTag(prop.tag)[0] == "":
+ # A namespace which is None corresponds to when no prefix
+ # is set, which I think is fine.
+ raise z3c.dav.interfaces.BadRequest(
+ self.request,
+ u"PROPFIND with invalid namespace declaration in body")
+
try:
if update.tag == "{DAV:}set":
changedAttributes.extend(self.handleSet(prop))
Modified: z3c.dav/trunk/src/z3c/dav/tests/test_propfind.py
===================================================================
--- z3c.dav/trunk/src/z3c/dav/tests/test_propfind.py 2007-07-03 17:51:06 UTC (rev 77371)
+++ z3c.dav/trunk/src/z3c/dav/tests/test_propfind.py 2007-07-03 17:56:17 UTC (rev 77372)
@@ -468,6 +468,43 @@
<ns0:status xmlns:ns0="DAV:">HTTP/1.1 200 Ok</ns0:status>
</ns0:propstat></ns0:response>""")
+ def test_renderSelected_badProperty(self):
+ resource = Resource("some text", 10)
+ request = z3c.dav.publisher.WebDAVRequest(StringIO(""), {})
+ propf = PROPFIND(None, None)
+
+ etree = z3c.etree.getEngine()
+ props = etree.Element(etree.QName("DAV:", "prop"))
+ prop = etree.Element("{}bar")
+ prop.tag = "{}bar" # lxml ignores the namespace in the above element
+ props.append(prop)
+
+ self.assertRaises(z3c.dav.interfaces.BadRequest,
+ propf.renderSelectedProperties,
+ resource, request, props)
+
+ def test_renderSelected_badProperty2(self):
+ resource = Resource("some text", 10)
+ request = z3c.dav.publisher.WebDAVRequest(StringIO(""), {})
+ propf = PROPFIND(None, None)
+
+ etree = z3c.etree.getEngine()
+ props = etree.Element(etree.QName("DAV:", "prop"))
+ prop = etree.Element("bar")
+ props.append(prop)
+
+ response = propf.renderSelectedProperties(resource, request, props)
+ assertXMLEqual(response(),
+ """<D:response xmlns:D="DAV:">
+<D:href>/resource</D:href>
+<D:propstat>
+ <D:prop>
+ <bar />
+ </D:prop>
+ <D:status>HTTP/1.1 404 Not Found</D:status>
+</D:propstat>
+</D:response>""")
+
def test_renderSelected_notfound(self):
resource = Resource("some text", 10)
request = z3c.dav.publisher.WebDAVRequest(StringIO(""), {})
Modified: z3c.dav/trunk/src/z3c/dav/tests/test_proppatch.py
===================================================================
--- z3c.dav/trunk/src/z3c/dav/tests/test_proppatch.py 2007-07-03 17:51:06 UTC (rev 77371)
+++ z3c.dav/trunk/src/z3c/dav/tests/test_proppatch.py 2007-07-03 17:56:17 UTC (rev 77372)
@@ -248,6 +248,51 @@
self.assertEqual(propp.setprops, [])
self.assertEqual(propp.removeprops, [])
+ def test_invalid_namespace_prop(self):
+ etree = z3c.etree.getEngine()
+ request = z3c.dav.publisher.WebDAVRequest(StringIO(""), {})
+ # Manually set up the xmlDataSource as some etree `parse` method
+ # raise a syntax error with the prop element with an empty namespace
+ # which we are trying to test
+ request.content_type = "application/xml"
+ request.xmlDataSource = etree.fromstring("""<?xml version="1.0" encoding="utf-8" ?>
+<D:propertyupdate xmlns:D="DAV:" xmlns="DAV:">
+ <set>
+ <prop>
+ </prop>
+ </set>
+</D:propertyupdate>""")
+ prop = etree.Element("{}bar")
+ prop.tag = "{}bar"
+ request.xmlDataSource[0][0].append(prop)
+ propp = PROPPATCHHandler(Resource(), request)
+
+ self.assertRaises(z3c.dav.interfaces.BadRequest,
+ propp.PROPPATCH)
+
+ def test_none_namespace_prop(self):
+ etree = z3c.etree.getEngine()
+ request = z3c.dav.publisher.WebDAVRequest(StringIO(""), {})
+ # Manually set up the xmlDataSource as some etree `parse` method
+ # raise a syntax error with the prop element with an empty namespace
+ # which we are trying to test
+ request.content_type = "application/xml"
+ request.xmlDataSource = etree.fromstring("""<?xml version="1.0" encoding="utf-8" ?>
+<D:propertyupdate xmlns:D="DAV:" xmlns="DAV:">
+ <set>
+ <prop>
+ </prop>
+ </set>
+</D:propertyupdate>""")
+ prop = etree.Element("bar")
+ prop.tag = "bar"
+ request.xmlDataSource[0][0].append(prop)
+ propp = PROPPATCHHandler(Resource(), request)
+ propp.PROPPATCH()
+
+ self.assertEqual(propp.setprops, ["bar"])
+ self.assertEqual(propp.removeprops, [])
+
def test_set_one_prop(self):
request = TestRequest(
set_properties = "<displayname>Display name</displayname>")
More information about the Checkins
mailing list