[Checkins] SVN: Zope/trunk/ Removed HTML tags from exception text of ``Unauthorized`` exception

Michael Howitz mh at gocept.com
Wed Jan 25 12:50:14 UTC 2012


Log message for revision 124166:
  Removed HTML tags from exception text of ``Unauthorized`` exception
  because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
  fixed. (Merged r124165 from 2.13 branch here.)
  
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/ZPublisher/HTTPResponse.py
  U   Zope/trunk/src/ZPublisher/tests/exception_handling.txt
  U   Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/doc/CHANGES.rst	2012-01-25 12:50:14 UTC (rev 124166)
@@ -11,6 +11,10 @@
 Bugs Fixed
 ++++++++++
 
+- Removed HTML tags from exception text of ``Unauthorized`` exception
+  because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
+  fixed.
+
 - Use ``in`` operator instead of deprecated ``has_key`` method (which
   is not implemented by ``OFS.ObjectManager``). This fixes an issue
   with WebDAV requests for skin objects.

Modified: Zope/trunk/src/ZPublisher/HTTPResponse.py
===================================================================
--- Zope/trunk/src/ZPublisher/HTTPResponse.py	2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/src/ZPublisher/HTTPResponse.py	2012-01-25 12:50:14 UTC (rev 124166)
@@ -203,7 +203,7 @@
 
     def setStatus(self, status, reason=None, lock=None):
         """ Set the HTTP status code of the response
-        
+
         o The argument may either be an integer or a string from the
           'status_reasons' dict values:  status messages will be converted
           to the correct integer value.
@@ -244,7 +244,7 @@
         The response will include an HTTP header that sets a cookie on
         cookie-enabled browsers with a key "name" and value
         "value".
-        
+
         This value overwrites any previously set value for the
         cookie in the Response object.
         """
@@ -263,7 +263,7 @@
 
     def appendCookie(self, name, value):
         """ Set an HTTP cookie.
-        
+
         Returns an HTTP header that sets a cookie on cookie-enabled
         browsers with a key "name" and value "value". If a value for the
         cookie has previously been set in the response object, the new
@@ -309,7 +309,7 @@
         Return the value associated with a HTTP return header, or
         None if no such header has been set in the response
         yet.
-        
+
         If the 'literal' flag is true, preserve the case of the header name;
         otherwise lower-case the header name before looking up the value.
         """
@@ -318,9 +318,9 @@
 
     def setHeader(self, name, value, literal=0, scrubbed=False):
         """ Set an HTTP return header on the response.
-        
+
         Replay any existing value set for the header.
-        
+
         If the 'literal' flag is true, preserve the case of the header name;
         otherwise the header name will be lowercased.
 
@@ -355,7 +355,7 @@
 
     def addHeader(self, name, value):
         """ Set a new HTTP return header with the given value,
-        
+
         Retain any previously set headers with the same name.
 
         Note that this API appneds to the 'accumulated_headers' attribute;
@@ -450,7 +450,7 @@
             return
         elif lock:
             self._locked_body = 1
-            
+
         if not body:
             return self
 
@@ -540,7 +540,7 @@
                         # vary on it. Otherwise if not forced, cache should
                         # respect Accept-Encoding client header
                         vary = self.getHeader('Vary')
-                        if vary is None or 'Accept-Encoding' not in vary: 
+                        if vary is None or 'Accept-Encoding' not in vary:
                             self.appendHeader('Vary', 'Accept-Encoding')
         return self
 
@@ -737,12 +737,12 @@
             self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)
 
     def unauthorized(self):
-        m = "<strong>You are not authorized to access this resource.</strong>"
+        m = "You are not authorized to access this resource."
         if self.debug_mode:
             if self._auth:
-                m = m + '<p>\nUsername and password are not correct.</p>'
+                m = m + '\nUsername and password are not correct.'
             else:
-                m = m + '<p>\nNo Authorization header found.</p>'
+                m = m + '\nNo Authorization header found.'
         raise Unauthorized(m)
 
     def _setBCIHeaders(self, t, tb):
@@ -903,7 +903,7 @@
         """ Set headers required by various parts of protocol.
         """
         body = self.body
-        if (not 'content-length' in self.headers and 
+        if (not 'content-length' in self.headers and
             not 'transfer-encoding' in self.headers):
             self.setHeader('content-length', len(body))
         return "%d %s" % (self.status, self.errmsg), self.listHeaders()
@@ -946,7 +946,7 @@
             chunks.append("%s: %s" % (key, value))
         # RFC 2616 mandates empty line between headers and payload
         chunks.append('')
-        chunks.append(body) 
+        chunks.append(body)
         return '\r\n'.join(chunks)
 
     def write(self,data):
@@ -965,9 +965,9 @@
 
         """
         if not self._wrote:
-            
+
             notify(PubBeforeStreaming(self))
-            
+
             self.outputBody()
             self._wrote = 1
             self.stdout.flush()

Modified: Zope/trunk/src/ZPublisher/tests/exception_handling.txt
===================================================================
--- Zope/trunk/src/ZPublisher/tests/exception_handling.txt	2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/src/ZPublisher/tests/exception_handling.txt	2012-01-25 12:50:14 UTC (rev 124166)
@@ -13,7 +13,7 @@
     >>> browser.mech_browser.set_handle_redirect(False)
 
 Create the objects that are raising exceptions.
- 
+
     >>> dummy = app.test_folder_1_._setObject('foo', ExceptionRaiser1())
     >>> dummy = app.test_folder_1_._setObject('bar', ExceptionRaiser2())
     >>> dummy = app.test_folder_1_._setObject('baz', ExceptionRaiser3())
@@ -170,7 +170,7 @@
     >>> browser.open('http://localhost/test_folder_1_/bar')
     Traceback (most recent call last):
     ...
-    Unauthorized: <strong>You are not authorized to access this resource...
+    Unauthorized: You are not authorized to access this resource...
     >>> browser.contents
 
 Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'

Modified: Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py
===================================================================
--- Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py	2012-01-25 12:46:18 UTC (rev 124165)
+++ Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py	2012-01-25 12:50:14 UTC (rev 124166)
@@ -880,8 +880,8 @@
             response.unauthorized()
         except Unauthorized, raised:
             self.assertEqual(response.status, 200) # publisher sets 401 later
-            self.assertTrue("<strong>You are not authorized "
-                            "to access this resource.</strong>" in str(raised))
+            self.assertTrue("You are not authorized "
+                            "to access this resource." in str(raised))
         else:
             self.fail("Didn't raise Unauthorized")
 
@@ -892,8 +892,8 @@
         try:
             response.unauthorized()
         except Unauthorized, raised:
-            self.assertTrue("<p>\nNo Authorization header found.</p>"
-                                in str(raised))
+            self.assertTrue("\nNo Authorization header found."
+                            in str(raised))
         else:
             self.fail("Didn't raise Unauthorized")
 
@@ -905,8 +905,8 @@
         try:
             response.unauthorized()
         except Unauthorized, raised:
-            self.assertTrue("<p>\nUsername and password are not correct.</p>"
-                                in str(raised))
+            self.assertTrue("\nUsername and password are not correct."
+                            in str(raised))
         else:
             self.fail("Didn't raise Unauthorized")
 



More information about the checkins mailing list