[Zope-Checkins] CVS: Zope/lib/python/Products/Sessions - BrowserIdManager.py:1.9.4.2

Martijn Pieters mj@zope.com
Thu, 1 Aug 2002 12:01:29 -0400


Update of /cvs-repository/Zope/lib/python/Products/Sessions
In directory cvs.zope.org:/tmp/cvs-serv9310/lib/python/Products/Sessions

Modified Files:
      Tag: Zope-2_5-branch
	BrowserIdManager.py 
Log Message:
Big change, merge from trunk.

- Make DTML automatically html quote data indirectly taken from REQUEST
  which contain a '<'. Make sure (almost) all string operation preserve the
  taint on this data.

- Fix exceptions that use REQUEST data; quote the data.

- Don't let form and cookie values mask the REQUEST computed values such as
  URL0 and BASE1.


=== Zope/lib/python/Products/Sessions/BrowserIdManager.py 1.9.4.1 => 1.9.4.2 ===
 from SessionPermissions import *
 from common import DEBUG
 import os, time, random, string, binascii, sys, re
+from cgi import escape
 
 b64_trans = string.maketrans('+/', '-.')
 b64_untrans = string.maketrans('-.', '+/')
 
-badidnamecharsin = re.compile('[\?&;, ]').search
-badcookiecharsin = re.compile('[;, ]').search
+badidnamecharsin = re.compile('[\?&;,<> ]').search
+badcookiecharsin = re.compile('[;,<>& ]').search
 twodotsin = re.compile('(\w*\.){2,}').search
 
 _marker = []
@@ -119,7 +120,8 @@
                 # somebody screwed with the REQUEST instance during
                 # this request.
                 raise BrowserIdManagerErr, (
-                    'Ill-formed browserid in REQUEST.browser_id_:  %s' % bid
+                    'Ill-formed browserid in REQUEST.browser_id_:  %s' % 
+                    escape(bid)
                     )
             return bid
         # fall through & ck id namespaces if bid is not in request.
@@ -235,7 +237,7 @@
     def setBrowserIdName(self, k):
         """ sets browser id name string """
         if not (type(k) is type('') and k and not badidnamecharsin(k)):
-            raise BrowserIdManagerErr, 'Bad id name string %s' % repr(k)
+            raise BrowserIdManagerErr, 'Bad id name string %s' % escape(repr(k))
         self.browserid_name = k
 
     security.declareProtected(ACCESS_CONTENTS_PERM, 'getBrowserIdName')
@@ -309,7 +311,7 @@
     def setCookiePath(self, path=''):
         """ sets cookie 'path' element for id cookie """
         if not (type(path) is type('') and not badcookiecharsin(path)):
-            raise BrowserIdManagerErr, 'Bad cookie path %s' % repr(path)
+            raise BrowserIdManagerErr, 'Bad cookie path %s' % escape(repr(path))
         self.cookie_path = path
     
     security.declareProtected(ACCESS_CONTENTS_PERM, 'getCookiePath')
@@ -323,7 +325,7 @@
         if type(days) not in (type(1), type(1.0)):
             raise BrowserIdManagerErr,(
                 'Bad cookie lifetime in days %s (requires integer value)'
-                % repr(days)
+                % escape(repr(days))
                 )
         self.cookie_life_days = int(days)
 
@@ -337,7 +339,7 @@
         """ sets cookie 'domain' element for id cookie """
         if type(domain) is not type(''):
             raise BrowserIdManagerErr, (
-                'Cookie domain must be string: %s' % repr(domain)
+                'Cookie domain must be string: %s' % escape(repr(domain))
                 )
         if not domain:
             self.cookie_domain = ''
@@ -346,11 +348,11 @@
             raise BrowserIdManagerErr, (
                 'Cookie domain must contain at least two dots (e.g. '
                 '".zope.org" or "www.zope.org") or it must be left blank. : '
-                '%s' % `domain`
+                '%s' % escape(`domain`)
                 )
         if badcookiecharsin(domain):
             raise BrowserIdManagerErr, (
-                'Bad characters in cookie domain %s' % `domain`
+                'Bad characters in cookie domain %s' % escape(`domain`)
                 )
         self.cookie_domain = domain