Removed HTML tags from exception text of ``Unauthorized`` exception

because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed. (Merged r124165 from 2.13 branch here.)

Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got fixed. (Merged r124165 from 2.13 branch here.)
77bf07f5 · Michael Howitz · a76d48be · 77bf07f5 · 77bf07f5 · 77bf07f5
Commit 77bf07f5 authored Jan 25, 2012 by Michael Howitz
4 changed files
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -11,6 +11,10 @@ http://docs.zope.org/zope2/releases/.
 Bugs Fixed
 ++++++++++

+- Removed HTML tags from exception text of ``Unauthorized`` exception
+  because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
+  fixed.
+
 - Use ``in`` operator instead of deprecated ``has_key`` method (which
  is not implemented by ``OFS.ObjectManager``). This fixes an issue
  with WebDAV requests for skin objects.

--- a/src/ZPublisher/HTTPResponse.py
+++ b/src/ZPublisher/HTTPResponse.py
@@ -737,12 +737,12 @@ class HTTPResponse(BaseResponse):
            self.setHeader('WWW-Authenticate', 'basic realm="%s"' % realm, 1)

    def unauthorized(self):
-        m = "<strong>You are not authorized to access this resource.</strong>"
+        m = "You are not authorized to access this resource."
        if self.debug_mode:
            if self._auth:
-                m = m + '<p>\nUsername and password are not correct.</p>'
+                m = m + '\nUsername and password are not correct.'
            else:
-                m = m + '<p>\nNo Authorization header found.</p>'
+                m = m + '\nNo Authorization header found.'
        raise Unauthorized(m)

    def _setBCIHeaders(self, t, tb):

--- a/src/ZPublisher/tests/exception_handling.txt
+++ b/src/ZPublisher/tests/exception_handling.txt
@@ -170,7 +170,7 @@ Handle zExceptions.Unauthorized raised by BaseRequest.traverse. We take the
    >>> browser.open('http://localhost/test_folder_1_/bar')
    Traceback (most recent call last):
    ...
-    Unauthorized: <strong>You are not authorized to access this resource...
+    Unauthorized: You are not authorized to access this resource...
    >>> browser.contents

 Handle zExceptions.Forbidden raised by BaseRequest.traverse. 'traverse'

--- a/src/ZPublisher/tests/testHTTPResponse.py
+++ b/src/ZPublisher/tests/testHTTPResponse.py
@@ -880,8 +880,8 @@ class HTTPResponseTests(unittest.TestCase):
            response.unauthorized()
        except Unauthorized, raised:
            self.assertEqual(response.status, 200) # publisher sets 401 later
-            self.assertTrue("<strong>You are not authorized "
-                            "to access this resource.</strong>" in str(raised))
+            self.assertTrue("You are not authorized "
+                            "to access this resource." in str(raised))
        else:
            self.fail("Didn't raise Unauthorized")

@@ -892,7 +892,7 @@ class HTTPResponseTests(unittest.TestCase):
        try:
            response.unauthorized()
        except Unauthorized, raised:
-            self.assertTrue("<p>\nNo Authorization header found.</p>"
+            self.assertTrue("\nNo Authorization header found."
                            in str(raised))
        else:
            self.fail("Didn't raise Unauthorized")
@@ -905,7 +905,7 @@ class HTTPResponseTests(unittest.TestCase):
        try:
            response.unauthorized()
        except Unauthorized, raised:
-            self.assertTrue("<p>\nUsername and password are not correct.</p>"
+            self.assertTrue("\nUsername and password are not correct."
                            in str(raised))
        else:
            self.fail("Didn't raise Unauthorized")