def test_positional_argument_regression(self): """Testing fix of http://bugs.python.org/issue13598 issue.""" from AccessControl.safe_formatter import SafeFormatter self.assertEqual( SafeFormatter('{} {}').safe_format('foo', 'bar'), # NOQA: P103 'foo bar') self.assertEqual( SafeFormatter('{0} {1}').safe_format('foo', 'bar'), 'foo bar') self.assertEqual( SafeFormatter('{1} {0}').safe_format('foo', 'bar'), 'bar foo')
def test_prevents_bad_unicode_formatting_key(self): from AccessControl.safe_formatter import SafeFormatter # Accessing basic Python types in a basic Python list is fine. foo = list(['bar']) self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), u'bar') # But for non-basic items or non-basic lists, we want run checks. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual( SafeFormatter(u'{0[0]}').safe_format(folder), '<Item public1>') self.assertEqual( SafeFormatter(u'{0[2]}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter(u'{0[1]}').safe_format, folder)
def _safe_format(inst, method): """Use our SafeFormatter that uses guarded_getattr for attribute access. This is for use with AccessControl.allow_type, as we do in CMFPlone/__init__.py. """ return SafeFormatter(inst).safe_format
def __call__(self): registry = self.registry() portal_state = getMultiAdapter((self.context, self.request), name='plone_portal_state') site_url = portal_state.portal_url() result2 = "" result2 += "'@sitePath': '\"%s\"',\n" % site_url result2 += "'@isPlone': true,\n" result2 += "'@isMockup': false,\n" result2 += "'@staticPath: '\"%s/++plone++static\"',\n" % site_url result2 += "'@barcelonetaPath: '\"%s/++theme++barceloneta\"',\n" % site_url less_vars_params = { 'site_url': site_url, } # Storing variables to use them on further vars for name, value in registry.items(): less_vars_params[name] = value for name, value in registry.items(): t = SafeFormatter(value).safe_format(**less_vars_params) result2 += f"'@{name}': \"{t}\",\n" self.request.response.setHeader("Content-Type", "application/javascript") return lessmodify % (result2)
def test_positional_argument_regression(self): """ to test http://bugs.python.org/issue13598 issue """ from AccessControl.safe_formatter import SafeFormatter try: self.assertEqual( SafeFormatter('{} {}').safe_format('foo', 'bar'), 'foo bar') except ValueError: # On Python 2.6 you get: # ValueError: zero length field name in format pass self.assertEqual( SafeFormatter('{0} {1}').safe_format('foo', 'bar'), 'foo bar') self.assertEqual( SafeFormatter('{1} {0}').safe_format('foo', 'bar'), 'bar foo')
def test_prevents_bad_string_formatting_item(self): from AccessControl.safe_formatter import SafeFormatter # Accessing basic Python types in a basic Python dict is fine. foo = {'bar': 'Can you see me?'} self.assertEqual( SafeFormatter('{0[bar]}').safe_format(foo), 'Can you see me?') # But for non-basic items or non-basic lists, we want run checks. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual( SafeFormatter('{0[public1]}').safe_format(folder), '<Item public1>') self.assertEqual( SafeFormatter('{0[public2]}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter('{0[private]}').safe_format, folder)
def test_prevents_bad_string_formatting_attribute(self): from AccessControl.safe_formatter import SafeFormatter # Accessing basic Python attributes on a basic Python type is fine. self.assertTrue( SafeFormatter('{0.upper}').safe_format('foo').startswith( '<built-in method upper')) # unless the name is protected self.assertRaises(Unauthorized, SafeFormatter('{0.__class__}').safe_format, 'foo') # But for non-basic items or non-basic lists, we want run checks. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual( SafeFormatter('{0.public1}').safe_format(folder), '<Item public1>') self.assertEqual( SafeFormatter('{0.public2}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter('{0.private}').safe_format, folder)
def test_prevents_bad_unicode_formatting_attribute(self): from AccessControl.safe_formatter import SafeFormatter # Accessing basic Python attributes on a basic Python type is fine. formatted = SafeFormatter(u'{0.upper}').safe_format('foo') self.assertTrue(formatted.startswith('<built-in method upper')) # unless the name is protected self.assertRaises(Unauthorized, SafeFormatter(u'{0.__class__}').safe_format, 'foo') # But for non-basic items or non-basic lists, we want run checks. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual(SafeFormatter(u'{0.public1}').safe_format(folder), '<Item public1>') self.assertEqual(SafeFormatter(u'{0.public2}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter(u'{0.private}').safe_format, folder)
def test_prevents_bad_string_formatting_key(self): from AccessControl.safe_formatter import SafeFormatter from AccessControl.ZopeGuards import guarded_getitem from persistent.list import PersistentList # Accessing basic Python types in a basic Python list is fine. foo = list(['bar']) self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar') self.assertEqual(guarded_getitem(foo, 0), 'bar') # For basic Python types in a non-basic list, we guard the access. foo = PersistentList(foo) self.assertRaises(Unauthorized, guarded_getitem, foo, 0) self.assertRaises(Unauthorized, SafeFormatter('{0[0]}').safe_format, foo) # though we could allow access if we want: foo.__allow_access_to_unprotected_subobjects__ = 1 self.assertEqual(guarded_getitem(foo, 0), 'bar') self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar') # For non-basic items we want run checks too. folder = self._create_folder_with_mixed_contents() # We can get the public items just fine: self.assertEqual( SafeFormatter('{0[0]}').safe_format(folder), '<Item public1>') self.assertEqual( SafeFormatter('{0[2]}').safe_format(folder), '<Item public2>') # But not the private item: self.assertRaises(Unauthorized, SafeFormatter('{0[1]}').safe_format, folder)
def __call__(self): registry = self.registry() portal_state = getMultiAdapter((self.context, self.request), name='plone_portal_state') site_url = portal_state.portal_url() result = "" result += "sitePath: '\"%s\"',\n" % site_url result += "isPlone: true,\n" result += "isMockup: false,\n" result += "staticPath: '\"%s/++plone++static\"',\n" % site_url result += "barcelonetaPath: '\"%s/++theme++barceloneta\"',\n" % site_url less_vars_params = { 'site_url': site_url, } # Storing variables to use them on further vars for name, value in registry.items(): less_vars_params[name] = value for name, value in registry.items(): t = SafeFormatter(value).safe_format(**less_vars_params) result += f"'{name}': \"{t}\",\n" # Adding all plone.resource entries css values as less vars for name, value in self.resource_registry().items(): for css in value.css: url = urlparse(css) if url.netloc == '': # Local src = f"{site_url}/{css}" else: src = "%s" % (css) # less vars can't have dots on it result += "'{}': '\"{}\"',\n".format(name.replace('.', '_'), src) self.request.response.setHeader("Content-Type", "application/javascript") try: debug_level = int(self.request.get('debug', 2)) except: debug_level = 2 return lessconfig % (debug_level, result, result)