[Zope-Checkins] CVS: Zope/lib/python/ZPublisher - xmlrpc.py:1.15.2.2

Tres Seaver tseaver at zope.com
Thu Jan 8 15:38:47 EST 2004


Update of /cvs-repository/Zope/lib/python/ZPublisher
In directory cvs.zope.org:/tmp/cvs-serv1752/lib/python/ZPublisher

Modified Files:
      Tag: Zope-2_6-branch
	xmlrpc.py 
Log Message:


  - XML-RPC marshalling of class instances used the instance 
    __dict__ to marshal the object, and could include attributes 
    prefixed with an underscore name. These attributes are considered 
    private in Zope and should generally not be disclosed.


=== Zope/lib/python/ZPublisher/xmlrpc.py 1.15.2.1 => 1.15.2.2 ===
--- Zope/lib/python/ZPublisher/xmlrpc.py:1.15.2.1	Wed Jul 23 14:14:42 2003
+++ Zope/lib/python/ZPublisher/xmlrpc.py	Thu Jan  8 15:38:16 2004
@@ -100,6 +100,16 @@
             # Convert Fault object to XML-RPC response.
             body=xmlrpclib.dumps(body, methodresponse=1)
         else:
+            if type(body) == types.InstanceType:
+                # Avoid disclosing private members. Private members are
+                # by convention named with a leading underscore char.
+                orig = body.__dict__
+                dict = {}
+                for key in orig.keys():
+                    if key[:1] != '_':
+                        dict[key] = orig[key]
+                body = dict
+
             # Marshall our body as an XML-RPC response. Strings will be sent
             # strings, integers as integers, etc. We do *not* convert
             # everything to a string first.




More information about the Zope-Checkins mailing list