From 2abdf14620f146857dc8e3ffd2b6a754884c331d Mon Sep 17 00:00:00 2001
From: Tres Seaver <tseaver@palladion.com>
Date: Wed, 2 Dec 2009 15:43:39 +0000
Subject: [PATCH] LP #490514:  preserve tainting when calling into DTML from
 ZPT.

---
 doc/CHANGES.rst                                      |  2 ++
 src/Products/PageTemplates/ZRPythonExpr.py           |  2 ++
 src/Products/PageTemplates/tests/testZRPythonExpr.py | 12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
index be9a5ca1ce..d38e1f9114 100644
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -60,6 +60,8 @@ Features Added
 Bugs Fixed
 ++++++++++
 
+- LP #490514:  preserve tainting when calling into DTML from ZPT.
+
 - LP #414757: Don't send a request closed event from a cloned request.
 
 - LP #418454: FTP server did not work with Python 2.6.X
diff --git a/src/Products/PageTemplates/ZRPythonExpr.py b/src/Products/PageTemplates/ZRPythonExpr.py
index 6e01754c4b..1876cfeb32 100644
--- a/src/Products/PageTemplates/ZRPythonExpr.py
+++ b/src/Products/PageTemplates/ZRPythonExpr.py
@@ -69,6 +69,8 @@ def call_with_ns(f, ns, arg=1):
     this = ns.get('context', ns.get('here'))
     td.this = this
     request = ns.get('request', {})
+    if hasattr(request, 'taintWrapper'):
+        request = request.taintWrapper()
     td._push(request)
     td._push(InstanceDict(td.this, td))
     td._push(ns)
diff --git a/src/Products/PageTemplates/tests/testZRPythonExpr.py b/src/Products/PageTemplates/tests/testZRPythonExpr.py
index b0d9902b51..e79c951bff 100644
--- a/src/Products/PageTemplates/tests/testZRPythonExpr.py
+++ b/src/Products/PageTemplates/tests/testZRPythonExpr.py
@@ -39,6 +39,18 @@ def _find_request(td):
 
         result = call_with_ns(_find_request, names)
         self.assertEqual(result, {})
+
+    def test_call_with_request_preserves_tainting(self):
+        from Products.PageTemplates.ZRPythonExpr import call_with_ns
+        class Request(dict):
+            def taintWrapper(self):
+                return {'tainted': 'found'}
+        context = ['context']
+        here = ['here']
+        names = {'context' : context, 'here': here, 'request' : Request()}
+
+        found = call_with_ns(lambda td: td['tainted'], names)
+        self.assertEqual(found, 'found')
  
 def test_suite():
     return unittest.makeSuite(MiscTests)