[Checkins] SVN: zope.publisher/trunk/ Convert a location, passed to a redirect method of HTTPRequest to string before checking for trusted host redirection.

Dan Korostelev nadako at gmail.com
Tue Sep 1 09:09:37 EDT 2009


Log message for revision 103444:
  Convert a location, passed to a redirect method of HTTPRequest to string before checking for trusted host redirection.

Changed:
  U   zope.publisher/trunk/CHANGES.txt
  U   zope.publisher/trunk/src/zope/publisher/http.py
  U   zope.publisher/trunk/src/zope/publisher/tests/test_http.py

-=-
Modified: zope.publisher/trunk/CHANGES.txt
===================================================================
--- zope.publisher/trunk/CHANGES.txt	2009-09-01 13:09:15 UTC (rev 103443)
+++ zope.publisher/trunk/CHANGES.txt	2009-09-01 13:09:37 UTC (rev 103444)
@@ -4,7 +4,10 @@
 3.9.1 (unreleased)
 ------------------
 
-- ...
+- Convert a location, passed to a redirect method of HTTPRequest to
+  string before checking for trusted host redirection, because a
+  location object may be some non-string convertable to string, like
+  URLGetter.
 
 3.9.0 (2009-08-27)
 ------------------

Modified: zope.publisher/trunk/src/zope/publisher/http.py
===================================================================
--- zope.publisher/trunk/src/zope/publisher/http.py	2009-09-01 13:09:15 UTC (rev 103443)
+++ zope.publisher/trunk/src/zope/publisher/http.py	2009-09-01 13:09:37 UTC (rev 103444)
@@ -879,6 +879,11 @@
 
     def redirect(self, location, status=None, trusted=False):
         """Causes a redirection without raising an error"""
+        
+        # convert to a string, as the location could be non-string
+        # convertable to string, for example, an URLGetter instance
+        location = str(location)
+        
         if not trusted:
             scheme, target_host, path, query, fragment = (
                 urlparse.urlsplit(location))

Modified: zope.publisher/trunk/src/zope/publisher/tests/test_http.py
===================================================================
--- zope.publisher/trunk/src/zope/publisher/tests/test_http.py	2009-09-01 13:09:15 UTC (rev 103443)
+++ zope.publisher/trunk/src/zope/publisher/tests/test_http.py	2009-09-01 13:09:37 UTC (rev 103444)
@@ -282,6 +282,11 @@
         request.response.redirect('http://foobar.com/explicit', 304)
         self.assertEquals(request.response.getStatus(), 304)
 
+        # test non-string location, like URLGetter
+        request = self._createRequest(env, '')
+        request.response.redirect(request.URL)
+        self.assertEquals(request.response.getStatus(), 303)
+        self.assertEquals(request.response.getHeader('location'), str(request.URL))
 
     def testUntrustedRedirect(self):
         # Redirects are by default only allowed to target the same host as the



More information about the checkins mailing list