Commit 8c5288fa authored by Tres Seaver's avatar Tres Seaver

Make ObjectManager's ``get`` and ``__getitem__`` return only "items".

No longer return attributes / methods from the class or from acquisition.
Thanks to Richard Mitchell at Netsight for the report.
parent 3950231e
......@@ -11,6 +11,10 @@ http://docs.zope.org/zope2/releases/.
Bugs Fixed
++++++++++
- Ensure that ObjectManager's ``get`` and ``__getitem__`` methods return only
"items" (no attributes / methods from the class or from acquisition).
Thanks to Richard Mitchell at Netsight for the report.
- Removed HTML tags from exception text of ``Unauthorized`` exception
because these tags get escaped since CVE-2010-1104 (see 2.13.12) got
fixed.
......
......@@ -23,6 +23,7 @@ import os
import re
import sys
import time
from types import NoneType
from AccessControl import ClassSecurityInfo
from AccessControl.class_init import InitializeClass
......@@ -757,12 +758,13 @@ class ObjectManager(CopyContainer,
return self.manage_delObjects(ids=[name])
def __getitem__(self, key):
v=self._getOb(key, None)
if v is not None: return v
if hasattr(self, 'REQUEST'):
request=self.REQUEST
if key in self:
return self._getOb(key, None)
request = getattr(self, 'REQUEST', None)
if not isinstance(request, (str, NoneType)):
method=request.get('REQUEST_METHOD', 'GET')
if request.maybe_webdav_client and not method in ('GET', 'POST'):
if (request.maybe_webdav_client and
method not in ('GET', 'POST')):
return NullResource(self, key, request).__of__(self)
raise KeyError, key
......@@ -783,7 +785,9 @@ class ObjectManager(CopyContainer,
security.declareProtected(access_contents_information, 'get')
def get(self, key, default=None):
if key in self:
return self._getOb(key, default)
return default
security.declareProtected(access_contents_information, 'keys')
def keys(self):
......
......@@ -57,6 +57,7 @@ class ApplicationTests(unittest.TestCase):
def test___bobo_traverse__attribute_miss_key_hit(self):
app = self._makeOne()
app._getOb = lambda x, y: x
app._objects = [{'id': 'OTHER', 'meta_type': None}]
request = {}
self.assertEqual(app.__bobo_traverse__(request, 'OTHER'), 'OTHER')
......
......@@ -412,6 +412,22 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
om = self._makeOne()
self.assertTrue(om)
def test___getitem___miss(self):
om = self._makeOne()
self.assertRaises(KeyError, om.__getitem__, 'nonesuch')
def test___getitem___miss_w_non_instance_attr(self):
om = self._makeOne()
self.assertRaises(KeyError, om.__getitem__, 'get')
def test___getitem___hit(self):
om = self._makeOne()
si1 = SimpleItem('1')
om['1'] = si1
got = om['1']
self.assertTrue(got.aq_self is si1)
self.assertTrue(got.aq_parent is om)
def test_get_miss_wo_default(self):
om = self._makeOne()
self.assertEqual(om.get('nonesuch'), None)
......@@ -421,6 +437,10 @@ class ObjectManagerTests(PlacelessSetup, unittest.TestCase):
obj = object()
self.assertTrue(om.get('nonesuch', obj) is obj)
def test_get_miss_w_non_instance_attr(self):
om = self._makeOne()
self.assertEqual(om.get('get'), None)
def test_get_hit(self):
om = self._makeOne()
si1 = SimpleItem('1')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment