You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-commits@quetz.apache.org by nl...@apache.org on 2005/01/31 17:28:12 UTC

svn commit: r149268 - in httpd/mod_python/trunk: lib/python/mod_python/publisher.py test/test.py

Author: nlehuen
Date: Mon Jan 31 08:28:08 2005
New Revision: 149268

URL: http://svn.apache.org/viewcvs?view=rev&rev=149268
Log:
New traversal and publishing rules. We now forbid the traversal of any type defined in the 'types' module, except for a few exceptions.

Modified:
    httpd/mod_python/trunk/lib/python/mod_python/publisher.py
    httpd/mod_python/trunk/test/test.py

Modified: httpd/mod_python/trunk/lib/python/mod_python/publisher.py
URL: http://svn.apache.org/viewcvs/httpd/mod_python/trunk/lib/python/mod_python/publisher.py?view=diff&r1=149267&r2=149268
==============================================================================
--- httpd/mod_python/trunk/lib/python/mod_python/publisher.py (original)
+++ httpd/mod_python/trunk/lib/python/mod_python/publisher.py Mon Jan 31 08:28:08 2005
@@ -38,6 +38,7 @@
 import base64
 
 import new
+import types
 from types import *
 
 imp_suffixes = " ".join([x[0][1:] for x in imp.get_suffixes()])
@@ -260,21 +261,37 @@
 
     return realm, user, passwd
 
-# Those are the traversal and publishing rules
-# It is a dictionary, indexed by type, with tuple values.
+### Those are the traversal and publishing rules ###
+
+# tp_rules is a dictionary, indexed by type, with tuple values.
 # The first item in the tuple is a boolean telling if the object can be traversed (default is True)
 # The second item in the tuple is a boolen telling if the object can be published (default is True)
-tp_rules = {
-    FunctionType        : (False, True),
-    MethodType          : (False, True),
-    BuiltinFunctionType : (False, True),
+tp_rules = {}
+
+# by default, built-in types cannot be traversed, but can be published
+default_builtins_tp_rule = (False,True)
+for t in types.__dict__.values():
+    if isinstance(t, type):
+        tp_rules[t]=default_builtins_tp_rule
+
+# those are the exceptions to the previous rules
+tp_rules.update({
+    # Those are not traversable nor publishable
     ModuleType          : (False, False),
     ClassType           : (False, False),
+    TypeType            : (False, False),
+    
     # XXX Generators should be publishable, see
     # http://issues.apache.org/jira/browse/MODPYTHON-15
     # Until they are, it is not interesting to publish them
     GeneratorType       : (False, False),
-}
+    
+    # Old-style instances are traversable
+    InstanceType        : (True, True),
+})
+
+# types which are not referenced in the tp_rules dictionary will be traversable
+# AND publishables 
 default_tp_rule = (True, True)
 
 def resolve_object(req, obj, object_str, realm=None, user=None, passwd=None):
@@ -314,9 +331,7 @@
     
     # we're going to check if the final object is publishable
     rule = tp_rules.get(type(obj), default_tp_rule)
-    # XXX the isinstance(obj, type) test is required until
-    # we allow the publication of class objects.
-    if (not rule[1]) or isinstance(obj, type):
+    if not rule[1]:
 
          req.log_error('Cannot publish %s in %s because '
                        '%s is not publishable'

Modified: httpd/mod_python/trunk/test/test.py
URL: http://svn.apache.org/viewcvs/httpd/mod_python/trunk/test/test.py?view=diff&r1=149267&r2=149268
==============================================================================
--- httpd/mod_python/trunk/test/test.py (original)
+++ httpd/mod_python/trunk/test/test.py Mon Jan 31 08:28:08 2005
@@ -1128,11 +1128,6 @@
         if (rsp != "test ok, interpreter=test_publisher"):
             self.fail(`rsp`)
 
-        # XXX is this OK ?
-        rsp = self.vhost_get("test_publisher", path="/tests.py/test_dict/items")
-        if (rsp != '[(1, 1), (2, 2), (3, 3)]'):
-            self.fail(`rsp`)
-
         rsp = self.vhost_get("test_publisher", path="/tests.py/test_dict_keys")
         if (rsp != '[1, 2, 3]'):
             self.fail(`rsp`)
@@ -1191,6 +1186,10 @@
         status, response = get_status("/tests.py/instance/traverse/func_code")
         if status != 403:
             self.fail('Vulnerability : new-style method traversal (%i)\n%s' % (status, response))
+
+        status, response = get_status("/tests.py/test_dict/clear")
+        if status != 403:
+            self.fail('Vulnerability : built-in type traversal (%i)\n%s' % (status, response))
 
     def test_publisher_old_style_instance_conf(self):
         c = VirtualHost("*",