Skip to content

Z
Zope
Commit e575c54b authored by Hanno Schlichting's avatar Hanno Schlichting
Browse files
Options

flake8

parent 8e511c4e
Hide whitespace changes
Inline Side-by-side
Showing with 157 additions and 150 deletions
src/ZPublisher/HTTPRequest.py
View file @ e575c54b
...@@ -41,6 +41,9 @@ from ZPublisher.BaseRequest import BaseRequest ...@@ -41,6 +41,9 @@ from ZPublisher.BaseRequest import BaseRequest
from ZPublisher.BaseRequest import quote from ZPublisher.BaseRequest import quote
from ZPublisher.Converters import get_converter from ZPublisher.Converters import get_converter
if sys.version_info >= (3, 0):
unicode = str
# Flags # Flags
SEQUENCE = 1 SEQUENCE = 1
DEFAULT = 2 DEFAULT = 2
...@@ -58,29 +61,29 @@ base64 = None ...@@ -58,29 +61,29 @@ base64 = None
default_encoding = 'utf-8' default_encoding = 'utf-8'
isCGI_NAMEs = { isCGI_NAMEs = {
'SERVER_SOFTWARE' : 1, 'SERVER_SOFTWARE': 1,
'SERVER_NAME' : 1, 'SERVER_NAME': 1,
'GATEWAY_INTERFACE' : 1, 'GATEWAY_INTERFACE': 1,
'SERVER_PROTOCOL' : 1, 'SERVER_PROTOCOL': 1,
'SERVER_PORT' : 1, 'SERVER_PORT': 1,
'REQUEST_METHOD' : 1, 'REQUEST_METHOD': 1,
'PATH_INFO' : 1, 'PATH_INFO': 1,
'PATH_TRANSLATED' : 1, 'PATH_TRANSLATED': 1,
'SCRIPT_NAME' : 1, 'SCRIPT_NAME': 1,
'QUERY_STRING' : 1, 'QUERY_STRING': 1,
'REMOTE_HOST' : 1, 'REMOTE_HOST': 1,
'REMOTE_ADDR' : 1, 'REMOTE_ADDR': 1,
'AUTH_TYPE' : 1, 'AUTH_TYPE': 1,
'REMOTE_USER' : 1, 'REMOTE_USER': 1,
'REMOTE_IDENT' : 1, 'REMOTE_IDENT': 1,
'CONTENT_TYPE' : 1, 'CONTENT_TYPE': 1,
'CONTENT_LENGTH' : 1, 'CONTENT_LENGTH': 1,
'SERVER_URL': 1, 'SERVER_URL': 1,
} }
isCGI_NAME = isCGI_NAMEs.has_key isCGI_NAME = isCGI_NAMEs.has_key
hide_key = {'HTTP_AUTHORIZATION':1, 'HTTP_CGI_AUTHORIZATION': 1} hide_key = {'HTTP_AUTHORIZATION': 1, 'HTTP_CGI_AUTHORIZATION': 1}
default_port = {'http': '80', 'https': '443'} default_port = {'http': '80', 'https': '443'}
...@@ -100,9 +103,11 @@ _marker = [] ...@@ -100,9 +103,11 @@ _marker = []
trusted_proxies = [] trusted_proxies = []
class NestedLoopExit(Exception): class NestedLoopExit(Exception):
pass pass
class HTTPRequest(BaseRequest): class HTTPRequest(BaseRequest):
""" Model HTTP request data. """ Model HTTP request data.
...@@ -177,8 +182,7 @@ class HTTPRequest(BaseRequest): ...@@ -177,8 +182,7 @@ class HTTPRequest(BaseRequest):
self.stdin.seek(0) self.stdin.seek(0)
r = self.__class__(stdin=self.stdin, r = self.__class__(stdin=self.stdin,
environ=self._orig_env, environ=self._orig_env,
response=self.response.retry(), response=self.response.retry())
)
r.retry_count = self.retry_count r.retry_count = self.retry_count
return r return r
...@@ -239,8 +243,8 @@ class HTTPRequest(BaseRequest): ...@@ -239,8 +243,8 @@ class HTTPRequest(BaseRequest):
def physicalPathToVirtualPath(self, path): def physicalPathToVirtualPath(self, path):
""" Remove the path to the VirtualRoot from a physical path """ """ Remove the path to the VirtualRoot from a physical path """
if type(path) is type(''): if isinstance(path, str):
path = path.split( '/') path = path.split('/')
rpp = self.other.get('VirtualRootPhysicalPath', ('',)) rpp = self.other.get('VirtualRootPhysicalPath', ('',))
i = 0 i = 0
for name in rpp[:len(path)]: for name in rpp[:len(path)]:
...@@ -264,9 +268,9 @@ class HTTPRequest(BaseRequest): ...@@ -264,9 +268,9 @@ class HTTPRequest(BaseRequest):
If the URL makes no sense in light of the current virtual If the URL makes no sense in light of the current virtual
hosting context, a ValueError is raised.""" hosting context, a ValueError is raised."""
other = self.other other = self.other
path = filter(None, URL.split( '/')) path = filter(None, URL.split('/'))
if URL.find( '://') >= 0: if URL.find('://') >= 0:
path = path[2:] path = path[2:]
# Check the path against BASEPATH1 # Check the path against BASEPATH1
...@@ -281,8 +285,8 @@ class HTTPRequest(BaseRequest): ...@@ -281,8 +285,8 @@ class HTTPRequest(BaseRequest):
def _resetURLS(self): def _resetURLS(self):
other = self.other other = self.other
other['URL'] = '/'.join([other['SERVER_URL']] + self._script + other['URL'] = '/'.join(
self._steps) [other['SERVER_URL']] + self._script + self._steps)
for x in self._urls: for x in self._urls:
del self.other[x] del self.other[x]
self._urls = () self._urls = ()
...@@ -344,7 +348,7 @@ class HTTPRequest(BaseRequest): ...@@ -344,7 +348,7 @@ class HTTPRequest(BaseRequest):
if 'REMOTE_ADDR' in environ: if 'REMOTE_ADDR' in environ:
self._client_addr = environ['REMOTE_ADDR'] self._client_addr = environ['REMOTE_ADDR']
if ('HTTP_X_FORWARDED_FOR' in environ and if ('HTTP_X_FORWARDED_FOR' in environ and
self._client_addr in trusted_proxies): self._client_addr in trusted_proxies):
# REMOTE_ADDR is one of our trusted local proxies. # REMOTE_ADDR is one of our trusted local proxies.
# Not really very remote at all. The proxy can tell us the # Not really very remote at all. The proxy can tell us the
# IP of the real remote client in the forwarded-for header # IP of the real remote client in the forwarded-for header
...@@ -363,22 +367,22 @@ class HTTPRequest(BaseRequest): ...@@ -363,22 +367,22 @@ class HTTPRequest(BaseRequest):
################################################################ ################################################################
# Get base info first. This isn't likely to cause # Get base info first. This isn't likely to cause
# errors and might be useful to error handlers. # errors and might be useful to error handlers.
b = script = get_env('SCRIPT_NAME','').strip() b = script = get_env('SCRIPT_NAME', '').strip()
# _script and the other _names are meant for URL construction # _script and the other _names are meant for URL construction
self._script = map(quote, filter(None, script.split( '/'))) self._script = map(quote, filter(None, script.split('/')))
while b and b[-1] == '/': while b and b[-1] == '/':
b = b[:-1] b = b[:-1]
p = b.rfind('/') p = b.rfind('/')
if p >= 0: if p >= 0:
b = b[:p+1] b = b[:p + 1]
else: else:
b = '' b = ''
while b and b[0] == '/': while b and b[0] == '/':
b = b[1:] b = b[1:]
server_url = get_env('SERVER_URL',None) server_url = get_env('SERVER_URL', None)
if server_url is not None: if server_url is not None:
other['SERVER_URL'] = server_url = server_url.strip() other['SERVER_URL'] = server_url = server_url.strip()
else: else:
...@@ -386,7 +390,7 @@ class HTTPRequest(BaseRequest): ...@@ -386,7 +390,7 @@ class HTTPRequest(BaseRequest):
if https_environ and https_environ in ('on', 'ON', '1'): if https_environ and https_environ in ('on', 'ON', '1'):
protocol = 'https' protocol = 'https'
elif ('SERVER_PORT_SECURE' in environ and elif ('SERVER_PORT_SECURE' in environ and
environ['SERVER_PORT_SECURE'] == "1"): environ['SERVER_PORT_SECURE'] == "1"):
protocol = 'https' protocol = 'https'
else: else:
protocol = 'http' protocol = 'http'
...@@ -416,13 +420,13 @@ class HTTPRequest(BaseRequest): ...@@ -416,13 +420,13 @@ class HTTPRequest(BaseRequest):
server_url = server_url[:-1] server_url = server_url[:-1]
if b: if b:
self.base = "%s/%s" % (server_url,b) self.base = "%s/%s" % (server_url, b)
else: else:
self.base = server_url self.base = server_url
while script[:1] == '/': while script[:1] == '/':
script = script[1:] script = script[1:]
if script: if script:
script = "%s/%s" % (server_url,script) script = "%s/%s" % (server_url, script)
else: else:
script = server_url script = server_url
other['URL'] = self.script = script other['URL'] = self.script = script
...@@ -434,7 +438,7 @@ class HTTPRequest(BaseRequest): ...@@ -434,7 +438,7 @@ class HTTPRequest(BaseRequest):
# for names not otherwise specified in the form. # for names not otherwise specified in the form.
cookies = {} cookies = {}
taintedcookies = {} taintedcookies = {}
k = get_env('HTTP_COOKIE','') k = get_env('HTTP_COOKIE', '')
if k: if k:
parse_cookie(k, cookies) parse_cookie(k, cookies)
for k, v in cookies.items(): for k, v in cookies.items():
...@@ -451,20 +455,20 @@ class HTTPRequest(BaseRequest): ...@@ -451,20 +455,20 @@ class HTTPRequest(BaseRequest):
self.taintedcookies = taintedcookies self.taintedcookies = taintedcookies
def processInputs( def processInputs(
self, self,
# "static" variables that we want to be local for speed # "static" variables that we want to be local for speed
SEQUENCE=1, SEQUENCE=1,
DEFAULT=2, DEFAULT=2,
RECORD=4, RECORD=4,
RECORDS=8, RECORDS=8,
REC=12, # RECORD | RECORDS REC=12, # RECORD | RECORDS
EMPTY=16, EMPTY=16,
CONVERTED=32, CONVERTED=32,
hasattr=hasattr, hasattr=hasattr,
getattr=getattr, getattr=getattr,
setattr=setattr, setattr=setattr,
search_type=re.compile('(:[a-zA-Z][-a-zA-Z0-9_]+|\\.[xy])$').search, search_type=re.compile(
): '(:[a-zA-Z][-a-zA-Z0-9_]+|\\.[xy])$').search):
"""Process request inputs """Process request inputs
We need to delay input parsing so that it is done under We need to delay input parsing so that it is done under
...@@ -472,7 +476,7 @@ class HTTPRequest(BaseRequest): ...@@ -472,7 +476,7 @@ class HTTPRequest(BaseRequest):
""" """
response = self.response response = self.response
environ = self.environ environ = self.environ
method = environ.get('REQUEST_METHOD','GET') method = environ.get('REQUEST_METHOD', 'GET')
if method != 'GET': if method != 'GET':
fp = self.stdin fp = self.stdin
...@@ -490,15 +494,15 @@ class HTTPRequest(BaseRequest): ...@@ -490,15 +494,15 @@ class HTTPRequest(BaseRequest):
environ['QUERY_STRING'] = '' environ['QUERY_STRING'] = ''
meth = None meth = None
fs = ZopeFieldStorage(fp=fp,environ=environ,keep_blank_values=1) fs = ZopeFieldStorage(fp=fp, environ=environ, keep_blank_values=1)
if not hasattr(fs,'list') or fs.list is None: if not hasattr(fs, 'list') or fs.list is None:
if 'HTTP_SOAPACTION' in environ: if 'HTTP_SOAPACTION' in environ:
# Stash XML request for interpretation by a SOAP-aware view # Stash XML request for interpretation by a SOAP-aware view
other['SOAPXML'] = fs.value other['SOAPXML'] = fs.value
# Hm, maybe it's an XML-RPC # Hm, maybe it's an XML-RPC
elif ('content-type' in fs.headers and elif ('content-type' in fs.headers and
'text/xml' in fs.headers['content-type'] and 'text/xml' in fs.headers['content-type'] and
method == 'POST'): method == 'POST'):
# Ye haaa, XML-RPC! # Ye haaa, XML-RPC!
global xmlrpc global xmlrpc
if xmlrpc is None: if xmlrpc is None:
...@@ -522,8 +526,8 @@ class HTTPRequest(BaseRequest): ...@@ -522,8 +526,8 @@ class HTTPRequest(BaseRequest):
isFileUpload = 0 isFileUpload = 0
key = item.name key = item.name
if (hasattr(item,'file') and hasattr(item,'filename') if (hasattr(item, 'file') and hasattr(item, 'filename') and
and hasattr(item,'headers')): hasattr(item, 'headers')):
if (item.file and if (item.file and
(item.filename is not None (item.filename is not None
# RFC 1867 says that all fields get a content-type. # RFC 1867 says that all fields get a content-type.
...@@ -548,17 +552,16 @@ class HTTPRequest(BaseRequest): ...@@ -548,17 +552,16 @@ class HTTPRequest(BaseRequest):
# do a string search, and then we'll check it with # do a string search, and then we'll check it with
# a re search. # a re search.
l = key.rfind(':') l = key.rfind(':')
if l >= 0: if l >= 0:
mo = search_type(key,l) mo = search_type(key, l)
if mo: if mo:
l = mo.start(0) l = mo.start(0)
else: else:
l = -1 l = -1
while l >= 0: while l >= 0:
type_name = key[l+1:] type_name = key[l + 1:]
key = key[:l] key = key[:l]
c = get_converter(type_name, None) c = get_converter(type_name, None)
...@@ -576,8 +579,8 @@ class HTTPRequest(BaseRequest): ...@@ -576,8 +579,8 @@ class HTTPRequest(BaseRequest):
meth = key meth = key
else: else:
meth = item meth = item
elif (type_name == 'default_method' or type_name == \ elif (type_name == 'default_method' or
'default_action'): type_name == 'default_action'):
if not meth: if not meth:
if l: if l:
meth = key meth = key
...@@ -598,7 +601,7 @@ class HTTPRequest(BaseRequest): ...@@ -598,7 +601,7 @@ class HTTPRequest(BaseRequest):
l = key.rfind(':') l = key.rfind(':')
if l < 0: if l < 0:
break break
mo = search_type(key,l) mo = search_type(key, l)
if mo: if mo:
l = mo.start(0) l = mo.start(0)
else: else:
...@@ -619,7 +622,7 @@ class HTTPRequest(BaseRequest): ...@@ -619,7 +622,7 @@ class HTTPRequest(BaseRequest):
if flags & EMPTY: if flags & EMPTY:
continue continue
#Split the key and its attribute # Split the key and its attribute
if flags & REC: if flags & REC:
key = key.split(".") key = key.split(".")
key, attr = ".".join(key[:-1]), key[-1] key, attr = ".".join(key[:-1]), key[-1]
...@@ -643,8 +646,8 @@ class HTTPRequest(BaseRequest): ...@@ -643,8 +646,8 @@ class HTTPRequest(BaseRequest):
# encoding. This gets passed to the converter # encoding. This gets passed to the converter
# either as unicode, if it can handle it, or # either as unicode, if it can handle it, or
# crunched back down to utf-8 if it can not. # crunched back down to utf-8 if it can not.
item = unicode(item,character_encoding) item = unicode(item, character_encoding)
if hasattr(converter,'convert_unicode'): if hasattr(converter, 'convert_unicode'):
item = converter.convert_unicode(item) item = converter.convert_unicode(item)
else: else:
item = converter( item = converter(
...@@ -670,10 +673,10 @@ class HTTPRequest(BaseRequest): ...@@ -670,10 +673,10 @@ class HTTPRequest(BaseRequest):
except: except:
if (not item and not (flags & DEFAULT) and if (not item and not (flags & DEFAULT) and
key in defaults): key in defaults):
item = defaults[key] item = defaults[key]
if flags & RECORD: if flags & RECORD:
item = getattr(item,attr) item = getattr(item, attr)
if flags & RECORDS: if flags & RECORDS:
item = getattr(item[-1], attr) item = getattr(item[-1], attr)
if tainted_key in tainteddefaults: if tainted_key in tainteddefaults:
...@@ -694,7 +697,7 @@ class HTTPRequest(BaseRequest): ...@@ -694,7 +697,7 @@ class HTTPRequest(BaseRequest):
if '<' in tainted_key and tainted is None: if '<' in tainted_key and tainted is None:
tainted = item tainted = item
#Determine which dictionary to use # Determine which dictionary to use
if flags & DEFAULT: if flags & DEFAULT:
mapping_object = defaults mapping_object = defaults
tainted_mapping = tainteddefaults tainted_mapping = tainteddefaults
...@@ -702,11 +705,11 @@ class HTTPRequest(BaseRequest): ...@@ -702,11 +705,11 @@ class HTTPRequest(BaseRequest):
mapping_object = form mapping_object = form
tainted_mapping = taintedform tainted_mapping = taintedform
#Insert in dictionary # Insert in dictionary
if key in mapping_object: if key in mapping_object:
if flags & RECORDS: if flags & RECORDS:
#Get the list and the last record # Get the list and the last record
#in the list. reclist is mutable. # in the list. reclist is mutable.
reclist = mapping_object[key] reclist = mapping_object[key]
x = reclist[-1] x = reclist[-1]
...@@ -724,8 +727,8 @@ class HTTPRequest(BaseRequest): ...@@ -724,8 +727,8 @@ class HTTPRequest(BaseRequest):
setattr(lastrecord, attr, tainted) setattr(lastrecord, attr, tainted)
else: else:
if flags & SEQUENCE: if flags & SEQUENCE:
getattr(lastrecord, getattr(
attr).append(tainted) lastrecord, attr).append(tainted)
else: else:
newrec = record() newrec = record()
setattr(newrec, attr, tainted) setattr(newrec, attr, tainted)
...@@ -745,19 +748,19 @@ class HTTPRequest(BaseRequest): ...@@ -745,19 +748,19 @@ class HTTPRequest(BaseRequest):
setattr(lastrecord, attr, copyitem) setattr(lastrecord, attr, copyitem)
else: else:
if flags & SEQUENCE: if flags & SEQUENCE:
getattr(lastrecord, getattr(
attr).append(copyitem) lastrecord, attr).append(copyitem)
else: else:
newrec = record() newrec = record()
setattr(newrec, attr, copyitem) setattr(newrec, attr, copyitem)
treclist.append(newrec) treclist.append(newrec)
if not hasattr(x,attr): if not hasattr(x, attr):
#If the attribute does not # If the attribute does not
#exist, setit # exist, setit
if flags & SEQUENCE: if flags & SEQUENCE:
item = [item] item = [item]
setattr(x,attr,item) setattr(x, attr, item)
else: else:
if flags & SEQUENCE: if flags & SEQUENCE:
# If the attribute is a # If the attribute is a
...@@ -770,7 +773,7 @@ class HTTPRequest(BaseRequest): ...@@ -770,7 +773,7 @@ class HTTPRequest(BaseRequest):
# Create a new record and add # Create a new record and add
# it to the list # it to the list
n = record() n = record()
setattr(n,attr,item) setattr(n, attr, item)
mapping_object[key].append(n) mapping_object[key].append(n)
elif flags & RECORD: elif flags & RECORD:
b = mapping_object[key] b = mapping_object[key]
...@@ -842,7 +845,7 @@ class HTTPRequest(BaseRequest): ...@@ -842,7 +845,7 @@ class HTTPRequest(BaseRequest):
if type(found) is lt: if type(found) is lt:
found.append(item) found.append(item)
else: else:
found = [found,item] found = [found, item]
mapping_object[key] = found mapping_object[key] = found
else: else:
# The dictionary does not have the key # The dictionary does not have the key
...@@ -852,7 +855,7 @@ class HTTPRequest(BaseRequest): ...@@ -852,7 +855,7 @@ class HTTPRequest(BaseRequest):
a = record() a = record()
if flags & SEQUENCE: if flags & SEQUENCE:
item = [item] item = [item]
setattr(a,attr,item) setattr(a, attr, item)
mapping_object[key] = [a] mapping_object[key] = [a]
if tainted: if tainted:
...@@ -869,7 +872,7 @@ class HTTPRequest(BaseRequest): ...@@ -869,7 +872,7 @@ class HTTPRequest(BaseRequest):
if flags & SEQUENCE: if flags & SEQUENCE:
item = [item] item = [item]
r = mapping_object[key] = record() r = mapping_object[key] = record()
setattr(r,attr,item) setattr(r, attr, item)
if tainted: if tainted:
# Store a tainted copy if necessary # Store a tainted copy if necessary
...@@ -898,7 +901,7 @@ class HTTPRequest(BaseRequest): ...@@ -898,7 +901,7 @@ class HTTPRequest(BaseRequest):
elif '<' in key: elif '<' in key:
tainted = item tainted = item
#Insert in dictionary # Insert in dictionary
if key in mapping_object: if key in mapping_object:
# it is not a record or list of records # it is not a record or list of records
found = mapping_object[key] found = mapping_object[key]
...@@ -929,14 +932,14 @@ class HTTPRequest(BaseRequest): ...@@ -929,14 +932,14 @@ class HTTPRequest(BaseRequest):
if type(found) is lt: if type(found) is lt:
found.append(item) found.append(item)
else: else:
found = [found,item] found = [found, item]
mapping_object[key] = found mapping_object[key] = found
else: else:
mapping_object[key] = item mapping_object[key] = item
if tainted: if tainted:
taintedform[tainted_key] = tainted taintedform[tainted_key] = tainted
#insert defaults into form dictionary # insert defaults into form dictionary
if defaults: if defaults:
for key, value in defaults.items(): for key, value in defaults.items():
tainted_key = key tainted_key = key
...@@ -952,7 +955,7 @@ class HTTPRequest(BaseRequest): ...@@ -952,7 +955,7 @@ class HTTPRequest(BaseRequest):
taintedform[tainted_key] = \ taintedform[tainted_key] = \
tainteddefaults[tainted_key] tainteddefaults[tainted_key]
else: else:
#The form has the key # The form has the key
tdefault = tainteddefaults.get(tainted_key, value) tdefault = tainteddefaults.get(tainted_key, value)
if isinstance(value, record): if isinstance(value, record):
# if the key is mapped to a record, get the # if the key is mapped to a record, get the
...@@ -987,7 +990,7 @@ class HTTPRequest(BaseRequest): ...@@ -987,7 +990,7 @@ class HTTPRequest(BaseRequest):
if not hasattr(r, k): if not hasattr(r, k):
# if the form dictionary doesn't have # if the form dictionary doesn't have
# the attribute, set it to the default # the attribute, set it to the default
setattr(r,k,v) setattr(r, k, v)
form[key] = r form[key] = r
elif isinstance(value, lt): elif isinstance(value, lt):
...@@ -1008,7 +1011,7 @@ class HTTPRequest(BaseRequest): ...@@ -1008,7 +1011,7 @@ class HTTPRequest(BaseRequest):
if not hasattr(origitem, k): if not hasattr(origitem, k):
setattr(origitem, k, v) setattr(origitem, k, v)
else: else:
if not defitem in tainted: if defitem not in tainted:
tainted.append(defitem) tainted.append(defitem)
taintedform[tainted_key] = tainted taintedform[tainted_key] = tainted
...@@ -1018,7 +1021,7 @@ class HTTPRequest(BaseRequest): ...@@ -1018,7 +1021,7 @@ class HTTPRequest(BaseRequest):
if isinstance(defitem, record): if isinstance(defitem, record):
try: try:
for k, v in \ for k, v in \
defitem.__dict__.items(): defitem.__dict__.items():
for origitem in l: for origitem in l:
if not hasattr( if not hasattr(
origitem, k): origitem, k):
...@@ -1027,7 +1030,7 @@ class HTTPRequest(BaseRequest): ...@@ -1027,7 +1030,7 @@ class HTTPRequest(BaseRequest):
except NestedLoopExit: except NestedLoopExit:
break break
else: else:
if not defitem in l: if defitem not in l:
missesdefault = 1 missesdefault = 1
break break
if missesdefault: if missesdefault:
...@@ -1038,10 +1041,10 @@ class HTTPRequest(BaseRequest): ...@@ -1038,10 +1041,10 @@ class HTTPRequest(BaseRequest):
defitem.__dict__.items()): defitem.__dict__.items()):
for origitem in tainted: for origitem in tainted:
if not hasattr( if not hasattr(
origitem, k): origitem, k):
setattr(origitem, k, v) setattr(origitem, k, v)
else: else:
if not defitem in tainted: if defitem not in tainted:
tainted.append(defitem) tainted.append(defitem)
taintedform[tainted_key] = tainted taintedform[tainted_key] = tainted
...@@ -1068,7 +1071,7 @@ class HTTPRequest(BaseRequest): ...@@ -1068,7 +1071,7 @@ class HTTPRequest(BaseRequest):
setattr(y, k, v) setattr(y, k, v)
else: else:
# x is not a record # x is not a record
if not x in l: if x not in l:
l.append(x) l.append(x)
form[key] = l form[key] = l
else: else:
...@@ -1080,28 +1083,28 @@ class HTTPRequest(BaseRequest): ...@@ -1080,28 +1083,28 @@ class HTTPRequest(BaseRequest):
if tuple_items: if tuple_items:
for key in tuple_items.keys(): for key in tuple_items.keys():
# Split the key and get the attr # Split the key and get the attr
k = key.split( ".") k = key.split(".")
k,attr = '.'.join(k[:-1]), k[-1] k, attr = '.'.join(k[:-1]), k[-1]
a = attr a = attr
new = '' new = ''
# remove any type_names in the attr # remove any type_names in the attr
while not a =='': while not a == '':
a = a.split( ":") a = a.split(":")
a,new = ':'.join(a[:-1]), a[-1] a, new = ':'.join(a[:-1]), a[-1]
attr = new attr = new
if k in form: if k in form:
# If the form has the split key get its value # If the form has the split key get its value
tainted_split_key = k tainted_split_key = k
if '<' in k: if '<' in k:
tainted_split_key = TaintedString(k) tainted_split_key = TaintedString(k)
item =form[k] item = form[k]
if isinstance(item, record): if isinstance(item, record):
# if the value is mapped to a record, check if it # if the value is mapped to a record, check if it
# has the attribute, if it has it, convert it to # has the attribute, if it has it, convert it to
# a tuple and set it # a tuple and set it
if hasattr(item,attr): if hasattr(item, attr):
value = tuple(getattr(item,attr)) value = tuple(getattr(item, attr))
setattr(item,attr,value) setattr(item, attr, value)
else: else:
# It is mapped to a list of records # It is mapped to a list of records
for x in item: for x in item:
...@@ -1109,8 +1112,8 @@ class HTTPRequest(BaseRequest): ...@@ -1109,8 +1112,8 @@ class HTTPRequest(BaseRequest):
if hasattr(x, attr): if hasattr(x, attr):
# If the record has the attribute # If the record has the attribute
# convert it to a tuple and set it # convert it to a tuple and set it
value = tuple(getattr(x,attr)) value = tuple(getattr(x, attr))
setattr(x,attr,value) setattr(x, attr, value)
# Do the same for the tainted counterpart # Do the same for the tainted counterpart
if tainted_split_key in taintedform: if tainted_split_key in taintedform:
...@@ -1147,7 +1150,7 @@ class HTTPRequest(BaseRequest): ...@@ -1147,7 +1150,7 @@ class HTTPRequest(BaseRequest):
path = path[:-1] path = path[:-1]
else: else:
path = '' path = ''
other['PATH_INFO'] = path = "%s/%s" % (path,meth) other['PATH_INFO'] = path = "%s/%s" % (path, meth)
self._hacked_path = 1 self._hacked_path = 1
def postProcessInputs(self): def postProcessInputs(self):
...@@ -1189,7 +1192,7 @@ class HTTPRequest(BaseRequest): ...@@ -1189,7 +1192,7 @@ class HTTPRequest(BaseRequest):
rsp.exception() rsp.exception()
if object is None: if object is None:
req.clear() req.clear()
raise sys.exc_info()[0], rsp.errmsg raise sys.exc_info()[0](rsp.errmsg)
# The traversal machinery may return a "default object" # The traversal machinery may return a "default object"
# like an index_html document. This is not appropriate # like an index_html document. This is not appropriate
...@@ -1227,7 +1230,7 @@ class HTTPRequest(BaseRequest): ...@@ -1227,7 +1230,7 @@ class HTTPRequest(BaseRequest):
directlyProvides(clone, *directlyProvidedBy(self)) directlyProvides(clone, *directlyProvidedBy(self))
return clone return clone
def getHeader(self, name, default = None, literal = False): def getHeader(self, name, default=None, literal=False):
"""Return the named HTTP header, or an optional default """Return the named HTTP header, or an optional default
argument or None if the header is not found. Note that argument or None if the header is not found. Note that
both original and CGI-ified header names are recognized, both original and CGI-ified header names are recognized,
...@@ -1256,8 +1259,7 @@ class HTTPRequest(BaseRequest): ...@@ -1256,8 +1259,7 @@ class HTTPRequest(BaseRequest):
The value will be looked up from one of the request data The value will be looked up from one of the request data
categories. The search order is environment variables, categories. The search order is environment variables,
other variables, form data, and then cookies. other variables, form data, and then cookies.
"""
""" #"
other = self.other other = self.other
if key in other: if key in other:
if key == 'REQUEST': if key == 'REQUEST':
...@@ -1271,7 +1273,7 @@ class HTTPRequest(BaseRequest): ...@@ -1271,7 +1273,7 @@ class HTTPRequest(BaseRequest):
path = self._script + self._steps path = self._script + self._steps
n = len(path) - int(n) n = len(path) - int(n)
if n < 0: if n < 0:
raise KeyError, key raise KeyError(key)
if pathonly: if pathonly:
path = [''] + path[:n] path = [''] + path[:n]
else: else:
...@@ -1301,7 +1303,7 @@ class HTTPRequest(BaseRequest): ...@@ -1301,7 +1303,7 @@ class HTTPRequest(BaseRequest):
if n: if n:
n = n - 1 n = n - 1
if len(path) < n: if len(path) < n:
raise KeyError, key raise KeyError(key)
v = self._script + path[:n] v = self._script + path[:n]
else: else:
...@@ -1339,7 +1341,7 @@ class HTTPRequest(BaseRequest): ...@@ -1339,7 +1341,7 @@ class HTTPRequest(BaseRequest):
if v is not _marker: if v is not _marker:
if callable(v): if callable(v):
v = v() v = v()
self[key] = v # Promote lazy value self[key] = v # Promote lazy value
del self._lazies[key] del self._lazies[key]
return v return v
...@@ -1374,7 +1376,7 @@ class HTTPRequest(BaseRequest): ...@@ -1374,7 +1376,7 @@ class HTTPRequest(BaseRequest):
def __getitem__(self, key, default=_marker, returnTaints=0): def __getitem__(self, key, default=_marker, returnTaints=0):
v = self.get(key, default, returnTaints=returnTaints) v = self.get(key, default, returnTaints=returnTaints)
if v is _marker: if v is _marker:
raise KeyError, key raise KeyError(key)
return v return v
# Using the getattr protocol to retrieve form values and similar # Using the getattr protocol to retrieve form values and similar
...@@ -1392,7 +1394,7 @@ class HTTPRequest(BaseRequest): ...@@ -1392,7 +1394,7 @@ class HTTPRequest(BaseRequest):
return self._locale return self._locale
if key == 'debug': if key == 'debug':
return self._debug return self._debug
raise AttributeError, key raise AttributeError(key)
return v return v
def set_lazy(self, key, callable): def set_lazy(self, key, callable):
...@@ -1401,7 +1403,7 @@ class HTTPRequest(BaseRequest): ...@@ -1401,7 +1403,7 @@ class HTTPRequest(BaseRequest):
def has_key(self, key, returnTaints=0): def has_key(self, key, returnTaints=0):
try: try:
self.__getitem__(key, returnTaints=returnTaints) self.__getitem__(key, returnTaints=returnTaints)
except: except Exception:
return 0 return 0
else: else:
return 1 return 1
...@@ -1412,7 +1414,8 @@ class HTTPRequest(BaseRequest): ...@@ -1412,7 +1414,8 @@ class HTTPRequest(BaseRequest):
keys.update(self._lazies) keys.update(self._lazies)
for key in self.environ.keys(): for key in self.environ.keys():
if (key in isCGI_NAMEs or key[:5] == 'HTTP_') and (key not in hide_key): if ((key in isCGI_NAMEs or key[:5] == 'HTTP_') and
(key not in hide_key)):
keys[key] = 1 keys[key] = 1
# Cache URLN and BASEN in self.other. # Cache URLN and BASEN in self.other.
...@@ -1421,14 +1424,14 @@ class HTTPRequest(BaseRequest): ...@@ -1421,14 +1424,14 @@ class HTTPRequest(BaseRequest):
while 1: while 1:
n = n + 1 n = n + 1
key = "URL%s" % n key = "URL%s" % n
if not self.has_key(key): if not self.has_key(key): # NOQA
break break
n = 0 n = 0
while 1: while 1:
n = n + 1 n = n + 1
key = "BASE%s" % n key = "BASE%s" % n
if not self.has_key(key): if not self.has_key(key): # NOQA
break break
keys.update(self.other) keys.update(self.other)
...@@ -1447,35 +1450,35 @@ class HTTPRequest(BaseRequest): ...@@ -1447,35 +1450,35 @@ class HTTPRequest(BaseRequest):
def __str__(self): def __str__(self):
result = "<h3>form</h3><table>" result = "<h3>form</h3><table>"
row = '<tr valign="top" align="left"><th>%s</th><td>%s</td></tr>' row = '<tr valign="top" align="left"><th>%s</th><td>%s</td></tr>'
for k,v in _filterPasswordFields(self.form.items()): for k, v in _filterPasswordFields(self.form.items()):
result = result + row % (escape(k), escape(repr(v))) result = result + row % (escape(k), escape(repr(v)))
result = result + "</table><h3>cookies</h3><table>" result = result + "</table><h3>cookies</h3><table>"
for k,v in _filterPasswordFields(self.cookies.items()): for k, v in _filterPasswordFields(self.cookies.items()):
result = result + row % (escape(k), escape(repr(v))) result = result + row % (escape(k), escape(repr(v)))
result = result + "</table><h3>lazy items</h3><table>" result = result + "</table><h3>lazy items</h3><table>"
for k,v in _filterPasswordFields(self._lazies.items()): for k, v in _filterPasswordFields(self._lazies.items()):
result = result + row % (escape(k), escape(repr(v))) result = result + row % (escape(k), escape(repr(v)))
result = result + "</table><h3>other</h3><table>" result = result + "</table><h3>other</h3><table>"
for k,v in _filterPasswordFields(self.other.items()): for k, v in _filterPasswordFields(self.other.items()):
if k in ('PARENTS','RESPONSE'): if k in ('PARENTS', 'RESPONSE'):
continue continue
result = result + row % (escape(k), escape(repr(v))) result = result + row % (escape(k), escape(repr(v)))
for n in "0123456789": for n in "0123456789":
key = "URL%s"%n key = "URL%s" % n
try: try:
result = result + row % (key, escape(self[key])) result = result + row % (key, escape(self[key]))
except KeyError: except KeyError:
pass pass
for n in "0123456789": for n in "0123456789":
key = "BASE%s"%n key = "BASE%s" % n
try: try:
result = result + row % (key, escape(self[key])) result = result + row % (key, escape(self[key]))
except KeyError: except KeyError:
pass pass
result = result + "</table><h3>environ</h3><table>" result = result + "</table><h3>environ</h3><table>"
for k,v in self.environ.items(): for k, v in self.environ.items():
if k not in hide_key: if k not in hide_key:
result = result + row % (escape(k), escape(repr(v))) result = result + row % (escape(k), escape(repr(v)))
return result + "</table>" return result + "</table>"
...@@ -1496,25 +1499,25 @@ class HTTPRequest(BaseRequest): ...@@ -1496,25 +1499,25 @@ class HTTPRequest(BaseRequest):
result = result + row % (k, repr(v)) result = result + row % (k, repr(v))
result = result + "\nOTHER\n\n" result = result + "\nOTHER\n\n"
for k, v in self.other.items(): for k, v in self.other.items():
if k in ('PARENTS','RESPONSE'): if k in ('PARENTS', 'RESPONSE'):
continue continue
result = result + row % (k, repr(v)) result = result + row % (k, repr(v))
for n in "0123456789": for n in "0123456789":
key = "URL%s"%n key = "URL%s" % n
try: try:
result = result + row % (key, self[key]) result = result + row % (key, self[key])
except KeyError: except KeyError:
pass pass
for n in "0123456789": for n in "0123456789":
key = "BASE%s"%n key = "BASE%s" % n
try: try:
result = result + row % (key, self[key]) result = result + row % (key, self[key])
except KeyError: except KeyError:
pass pass
result = result + "\nENVIRON\n\n" result = result + "\nENVIRON\n\n"
for k,v in self.environ.items(): for k, v in self.environ.items():
if k not in hide_key: if k not in hide_key:
result = result + row % (k, v) result = result + row % (k, v)
return result return result
...@@ -1526,7 +1529,7 @@ class HTTPRequest(BaseRequest): ...@@ -1526,7 +1529,7 @@ class HTTPRequest(BaseRequest):
if auth[:6].lower() == 'basic ': if auth[:6].lower() == 'basic ':
if base64 is None: if base64 is None:
import base64 import base64
[name,password] = \ [name, password] = \
base64.decodestring(auth.split()[-1]).split(':', 1) base64.decodestring(auth.split()[-1]).split(':', 1)
return name, password return name, password
...@@ -1547,6 +1550,7 @@ class HTTPRequest(BaseRequest): ...@@ -1547,6 +1550,7 @@ class HTTPRequest(BaseRequest):
def getURL(self): def getURL(self):
return self.URL return self.URL
class TaintRequestWrapper: class TaintRequestWrapper:
def __init__(self, req): def __init__(self, req):
self._req = req self._req = req
...@@ -1554,7 +1558,7 @@ class TaintRequestWrapper: ...@@ -1554,7 +1558,7 @@ class TaintRequestWrapper:
def __getattr__(self, key): def __getattr__(self, key):
if key in ('get', '__getitem__', '__getattr__', 'has_key', 'keys'): if key in ('get', '__getitem__', '__getattr__', 'has_key', 'keys'):
return TaintMethodWrapper(getattr(self._req, key)) return TaintMethodWrapper(getattr(self._req, key))
if not key in self._req.keys(): if key not in self._req.keys():
item = getattr(self._req, key, _marker) item = getattr(self._req, key, _marker)
if item is not _marker: if item is not _marker:
return item return item
...@@ -1626,15 +1630,16 @@ class FileUpload: ...@@ -1626,15 +1630,16 @@ class FileUpload:
if hasattr(file, '__methods__'): if hasattr(file, '__methods__'):
methods = file.__methods__ methods = file.__methods__
else: else:
methods = ['close', 'fileno', 'flush', 'isatty', methods = [
'close', 'fileno', 'flush', 'isatty',
'read', 'readline', 'readlines', 'seek', 'read', 'readline', 'readlines', 'seek',
'tell', 'truncate', 'write', 'writelines', 'tell', 'truncate', 'write', 'writelines',
'__iter__','next', 'name'] # see Collector 1837 '__iter__', 'next', 'name'] # see Collector 1837
d = self.__dict__ d = self.__dict__
for m in methods: for m in methods:
if hasattr(file,m): if hasattr(file, m):
d[m] = getattr(file,m) d[m] = getattr(file, m)
self.headers = aFieldStorage.headers self.headers = aFieldStorage.headers
self.filename = aFieldStorage.filename self.filename = aFieldStorage.filename
...@@ -1656,12 +1661,14 @@ class FileUpload: ...@@ -1656,12 +1661,14 @@ class FileUpload:
return self return self
QPARMRE= re.compile( QPARMRE = re.compile(
'([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)') '([\x00- ]*([^\x00- ;,="]+)="([^"]*)"([\x00- ]*[;,])?[\x00- ]*)')
PARMRE = re.compile( PARMRE = re.compile(
'([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)') '([\x00- ]*([^\x00- ;,="]+)=([^;]*)([\x00- ]*[;,])?[\x00- ]*)')
PARAMLESSRE = re.compile( PARAMLESSRE = re.compile(
'([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)') '([\x00- ]*([^\x00- ;,="]+)[\x00- ]*[;,][\x00- ]*)')
def parse_cookie(text, def parse_cookie(text,
result=None, result=None,
qparmre=QPARMRE, qparmre=QPARMRE,
...@@ -1701,9 +1708,9 @@ def parse_cookie(text, ...@@ -1701,9 +1708,9 @@ def parse_cookie(text,
if name not in result: if name not in result:
result[name] = unquote(value) result[name] = unquote(value)
return apply(parse_cookie,(text[l:],result)) return parse_cookie(text[l:], result)
# add class
class record: class record:
# Allow access to record methods and values from DTML # Allow access to record methods and values from DTML
...@@ -1719,10 +1726,9 @@ class record: ...@@ -1719,10 +1726,9 @@ class record:
'has_key', 'has_key',
'__contains__', '__contains__',
'__iter__', '__iter__',
'__len__', '__len__'):
):
return getattr(self.__dict__, key) return getattr(self.__dict__, key)
raise AttributeError, key raise AttributeError(key)
def __getitem__(self, key): def __getitem__(self, key):
return self.__dict__[key] return self.__dict__[key]
...@@ -1733,7 +1739,7 @@ class record: ...@@ -1733,7 +1739,7 @@ class record:
return ", ".join("%s: %s" % item for item in L1) return ", ".join("%s: %s" % item for item in L1)
def __repr__(self): def __repr__(self):
#return repr( self.__dict__ ) # return repr( self.__dict__ )
L1 = self.__dict__.items() L1 = self.__dict__.items()
L1.sort() L1.sort()
return '{%s}' % ', '.join( return '{%s}' % ', '.join(
...@@ -1745,8 +1751,8 @@ class record: ...@@ -1745,8 +1751,8 @@ class record:
cmp(self.__dict__.items(), other.__dict__.items())) cmp(self.__dict__.items(), other.__dict__.items()))
# Collector #777: filter out request fields which contain 'passw'
def _filterPasswordFields(items): def _filterPasswordFields(items):
# Collector #777: filter out request fields which contain 'passw'
result = [] result = []
...@@ -1759,6 +1765,7 @@ def _filterPasswordFields(items): ...@@ -1759,6 +1765,7 @@ def _filterPasswordFields(items):
return result return result
def _decode(value, charset): def _decode(value, charset):
"""Recursively look for string values and decode. """Recursively look for string values and decode.
""" """
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7