"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/Products/PageTemplates/tests/testHTMLTests.py" between
Zope-5.2.tar.gz and Zope-5.2.1.tar.gz

About: Zope Z Object Publishing Environment - web application platform used for building content management systems, intranets, portals, and custom applications.

testHTMLTests.py  (Zope-5.2):testHTMLTests.py  (Zope-5.2.1)
skipping to change at line 29 skipping to change at line 29
from AccessControl import SecurityManager from AccessControl import SecurityManager
from AccessControl.SecurityManagement import noSecurityManager from AccessControl.SecurityManagement import noSecurityManager
from Acquisition import Implicit from Acquisition import Implicit
from Products.PageTemplates.interfaces import IUnicodeEncodingConflictResolver from Products.PageTemplates.interfaces import IUnicodeEncodingConflictResolver
from Products.PageTemplates.PageTemplate import PageTemplate from Products.PageTemplates.PageTemplate import PageTemplate
from Products.PageTemplates.tests import util from Products.PageTemplates.tests import util
from Products.PageTemplates.unicodeconflictresolver import \ from Products.PageTemplates.unicodeconflictresolver import \
DefaultUnicodeEncodingConflictResolver DefaultUnicodeEncodingConflictResolver
from Products.PageTemplates.unicodeconflictresolver import \ from Products.PageTemplates.unicodeconflictresolver import \
PreferredCharsetResolver PreferredCharsetResolver
from Products.PageTemplates.ZopePageTemplate import ZopePageTemplate
from zExceptions import NotFound from zExceptions import NotFound
from zope.component import provideUtility from zope.component import provideUtility
from zope.location.interfaces import LocationError
from zope.traversing.adapters import DefaultTraversable from zope.traversing.adapters import DefaultTraversable
from .util import useChameleonEngine from .util import useChameleonEngine
class AqPageTemplate(Implicit, PageTemplate): class AqPageTemplate(Implicit, PageTemplate):
pass pass
class AqZopePageTemplate(Implicit, ZopePageTemplate):
pass
class Folder(util.Base): class Folder(util.Base):
pass pass
class UnitTestSecurityPolicy: class UnitTestSecurityPolicy:
""" """
Stub out the existing security policy for unit testing purposes. Stub out the existing security policy for unit testing purposes.
""" """
# Standard SecurityPolicy interface # Standard SecurityPolicy interface
def validate(self, def validate(self,
accessed=None, accessed=None,
skipping to change at line 73 skipping to change at line 78
super().setUp() super().setUp()
useChameleonEngine() useChameleonEngine()
zope.component.provideAdapter(DefaultTraversable, (None,)) zope.component.provideAdapter(DefaultTraversable, (None,))
provideUtility(DefaultUnicodeEncodingConflictResolver, provideUtility(DefaultUnicodeEncodingConflictResolver,
IUnicodeEncodingConflictResolver) IUnicodeEncodingConflictResolver)
self.folder = f = Folder() self.folder = f = Folder()
f.laf = AqPageTemplate() f.laf = AqPageTemplate()
f.t = AqPageTemplate() f.t = AqPageTemplate()
f.z = AqZopePageTemplate('testing')
self.policy = UnitTestSecurityPolicy() self.policy = UnitTestSecurityPolicy()
self.oldPolicy = SecurityManager.setSecurityPolicy(self.policy) self.oldPolicy = SecurityManager.setSecurityPolicy(self.policy)
noSecurityManager() # Use the new policy. noSecurityManager() # Use the new policy.
def tearDown(self): def tearDown(self):
super().tearDown() super().tearDown()
SecurityManager.setSecurityPolicy(self.oldPolicy) SecurityManager.setSecurityPolicy(self.oldPolicy)
noSecurityManager() # Reset to old policy. noSecurityManager() # Reset to old policy.
def assert_expected(self, t, fname, *args, **kwargs): def assert_expected(self, t, fname, *args, **kwargs):
skipping to change at line 225 skipping to change at line 231
self.assert_expected(t, 'UnicodeResolution.html') self.assert_expected(t, 'UnicodeResolution.html')
def test_underscore_traversal(self): def test_underscore_traversal(self):
t = self.folder.t t = self.folder.t
t.write('<p tal:define="p context/__class__" />') t.write('<p tal:define="p context/__class__" />')
with self.assertRaises(NotFound): with self.assertRaises(NotFound):
t() t()
t.write('<p tal:define="p nocall: random/_itertools/repeat"/>') t.write('<p tal:define="p nocall: random/_itertools/repeat"/>')
with self.assertRaises(NotFound): with self.assertRaises((NotFound, LocationError)):
t() t()
t.write('<p tal:content="random/_itertools/repeat/foobar"/>') t.write('<p tal:content="random/_itertools/repeat/foobar"/>')
with self.assertRaises((NotFound, LocationError)):
t()
def test_module_traversal(self):
t = self.folder.z
# Need to reset to the standard security policy so AccessControl
# checks are actually performed. The test setup initializes
# a policy that circumvents those checks.
SecurityManager.setSecurityPolicy(self.oldPolicy)
noSecurityManager()
# The getSecurityManager function is explicitly allowed
content = ('<p tal:define="a nocall:%s"'
' tal:content="python: a().getUser().getUserName()"/>')
t.write(content % 'modules/AccessControl/getSecurityManager')
self.assertEqual(t(), '<p>Anonymous User</p>')
# Anything else should be unreachable and raise NotFound:
# Direct access through AccessControl
t.write('<p tal:define="a nocall:modules/AccessControl/users"/>')
with self.assertRaises(NotFound):
t()
# Indirect access through an intermediary variable
content = ('<p tal:define="mod nocall:modules/AccessControl;'
' must_fail nocall:mod/users"/>')
t.write(content)
with self.assertRaises(NotFound):
t()
# Indirect access through an intermediary variable and a dictionary
content = ('<p tal:define="mod nocall:modules/AccessControl;'
' a_dict python: {\'unsafe\': mod};'
' must_fail nocall: a_dict/unsafe/users"/>')
t.write(content)
with self.assertRaises(NotFound): with self.assertRaises(NotFound):
t() t()
 End of changes. 6 change blocks. 
1 lines changed or deleted 43 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)