- Collector #1863: Prevent possibly sensitive information to leak via

  the TransientObject's __repr__ method.

doc/CHANGES.txt

@@ -42,6 +42,9 @@ Zope Changes
 
     Bugs Fixed
 
+      - Collector #1863: Prevent possibly sensitive information to leak via
+        the TransientObject's __repr__ method.
+
       - Repaired 'handle_errors' usage for doctests, along with the
         supporting 'debug' argument passed to
         'ZPublisher.Test.publish_module'.

lib/python/Products/Transience/TransientObject.py

@@ -256,8 +256,8 @@ class TransientObject(Persistent, Implicit):
         return "%s%s" % (t, d)
 
     def __repr__(self):
-        return "id: %s, token: %s, contents: %s" % (
-            self.id, self.token, `self.items()`
+        return "id: %s, token: %s, content keys: %s" % (
+            self.id, self.token, `self.keys()`
             )
 
 def lastmodified_sort(d1, d2):

lib/python/Products/Transience/tests/testTransientObject.py

@@ -115,6 +115,15 @@ class TestTransientObject(TestCase):
         t.delete('foobie')
         self.assertEqual(t.get('foobie'), None)
 
+    def test_repr_leaking_information(self):
+        # __repr__ used to show all contents, which could lead to sensitive
+        # information being visible in e.g. the ErrorLog object.
+        t = self.t.new('password-storing-session')
+        t.set('__ac_password__', 'secret')
+        self.failIf( repr(t).find('secret') != -1
+                   , '__repr__ leaks: %s' % repr(t)
+                   )
+
 
 def test_suite():
     testsuite = makeSuite(TestTransientObject, 'test')