LP #490514: preserve tainting when calling into DTML from ZPT.

zopefoundation · Dec 2, 2009 · 2abdf14 · 2abdf14
1 parent 334d590
commit 2abdf14
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
@@ -60,6 +60,8 @@ Features Added
 Bugs Fixed
 ++++++++++
 
+- LP #490514:  preserve tainting when calling into DTML from ZPT.
+
 - LP #414757: Don't send a request closed event from a cloned request.
 
 - LP #418454: FTP server did not work with Python 2.6.X

diff --git a/src/Products/PageTemplates/ZRPythonExpr.py b/src/Products/PageTemplates/ZRPythonExpr.py
@@ -69,6 +69,8 @@ def call_with_ns(f, ns, arg=1):
     this = ns.get('context', ns.get('here'))
     td.this = this
     request = ns.get('request', {})
+    if hasattr(request, 'taintWrapper'):
+        request = request.taintWrapper()
     td._push(request)
     td._push(InstanceDict(td.this, td))
     td._push(ns)

diff --git a/src/Products/PageTemplates/tests/testZRPythonExpr.py b/src/Products/PageTemplates/tests/testZRPythonExpr.py
@@ -39,6 +39,18 @@ def _find_request(td):
 
         result = call_with_ns(_find_request, names)
         self.assertEqual(result, {})
+
+    def test_call_with_request_preserves_tainting(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        class Request(dict):
+            def taintWrapper(self):
+                return {'tainted': 'found'}
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here, 'request' : Request()}
+
+        found = call_with_ns(lambda td: td['tainted'], names)
+        self.assertEqual(found, 'found')
 
 def test_suite():
     return unittest.makeSuite(MiscTests)