Commit 3b2430b6 authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

explicitly check if PUT() is called with PUT request method.

parent f84e2f62
......@@ -28,6 +28,7 @@
import zope.interface
from AccessControl import ClassSecurityInfo
from zExceptions import Forbidden
from Products.ERP5Type import Permissions, PropertySheet, interfaces
from Products.ERP5Type.Base import Base
......@@ -220,9 +221,10 @@ class Coordinate(Base):
"""
Handle HTTP / WebDAV / FTP PUT requests.
"""
if not NoWL:
self.dav__init(REQUEST, RESPONSE)
self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
self.dav__init(REQUEST, RESPONSE)
self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
body = REQUEST.get('BODY', '')
try:
self._writeFromPUT( body )
......
......@@ -201,10 +201,6 @@ class File(Document, CMFFile):
else:
return str(data)
security.declareProtected(Permissions.ModifyPortalContent,'PUT')
def PUT(self, REQUEST, RESPONSE):
CMFFile.PUT(self, REQUEST, RESPONSE)
# DAV Support
PUT = CMFFile.PUT
security.declareProtected(Permissions.FTPAccess, 'manage_FTPstat',
......
......@@ -45,6 +45,7 @@ from ZODB.POSException import ConflictError
from zExceptions import Redirect
from Acquisition import aq_base
from Products.PageTemplates.Expressions import SecureModuleImporter
from zExceptions import Forbidden
from Products.ERP5Type.PsycoWrapper import psyco
from Products.ERP5Type.Base import Base
......@@ -772,6 +773,8 @@ class ERP5Form(Base, ZMIForm, ZopePageTemplate):
"""Handle HTTP PUT requests."""
self.dav__init(REQUEST, RESPONSE)
self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
body=REQUEST.get('BODY', '')
# Empty the form (XMLToForm is unable to empty things before reopening)
for k in self.get_field_ids():
......
......@@ -26,6 +26,7 @@ from Products.CMFDefault.utils import html_headcheck
from Products.CMFDefault.utils import bodyfinder
from Products.CMFDefault.utils import SimpleHTMLParser as CMFSimpleHTMLParser
from zLOG import LOG
from zExceptions import Forbidden
security = ModuleSecurityInfo( 'Products.ERP5Type.WebDAVSupport' )
......@@ -117,6 +118,8 @@ class TextContent:
""" Handle HTTP (and presumably FTP?) PUT requests """
self.dav__init(REQUEST, RESPONSE)
self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
body = REQUEST.get('BODY', '')
try:
......@@ -208,6 +211,8 @@ def PUT(self, REQUEST, RESPONSE):
return NullResource_PUT(self, REQUEST, RESPONSE)
self.dav__init(REQUEST, RESPONSE)
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
name = self.__name__
parent = self.__parent__
......
......@@ -38,6 +38,7 @@ from Products.ERP5Type import Permissions
from Products.ERP5Type.Base import Base
from Products.ERP5Type.Accessor.Constant import PropertyGetter as ConstantGetter
from Products.ERP5Type.ConsistencyMessage import ConsistencyMessage
from zExceptions import Forbidden
from zLOG import LOG, INFO
......@@ -290,6 +291,8 @@ class ComponentMixin(PropertyRecordableMixin, Base):
"""
self.dav__init(REQUEST, RESPONSE)
self.dav__simpleifhandler(REQUEST, RESPONSE, refresh=1)
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
text_content = REQUEST.get('BODY')
if text_content is None:
......
......@@ -19,6 +19,7 @@
import OFS.Image
import struct
from cStringIO import StringIO
from zExceptions import Forbidden
def getImageInfo_with_svg_fix(data):
data = str(data)
......@@ -83,3 +84,13 @@ def getImageInfo_with_svg_fix(data):
return content_type, width, height
OFS.Image.getImageInfo = getImageInfo_with_svg_fix
PUT_orig = OFS.Image.File.PUT
def PUT(self, REQUEST, RESPONSE):
"""Handle HTTP PUT requests"""
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
return PUT_orig(self, REQUEST, RESPONSE)
OFS.Image.File.PUT = PUT
......@@ -46,6 +46,7 @@ from zope.i18n import interpolate
from zope.i18n.interfaces import ITranslationDomain
from zope.interface import implements
from zLOG import LOG, INFO
from zExceptions import Forbidden
# Import from Localizer
from interfaces import IMessageCatalog
......@@ -737,6 +738,8 @@ class POFile(SimpleItem):
security.declareProtected('Manage messages', 'PUT')
def PUT(self, REQUEST, RESPONSE):
""" """
if REQUEST.environ['REQUEST_METHOD'] != 'PUT':
raise Forbidden, 'REQUEST_METHOD should be PUT.'
body = REQUEST['BODY']
self.po_import(self.id, body)
RESPONSE.setStatus(204)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment