def test_prevents_bad_string_formatting_key(self):
from AccessControl.safe_formatter import SafeFormatter
from AccessControl.ZopeGuards import guarded_getitem
from persistent.list import PersistentList
# Accessing basic Python types in a basic Python list is fine.
foo = list(['bar'])
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar')
self.assertEqual(guarded_getitem(foo, 0), 'bar')
# For basic Python types in a non-basic list, we guard the access.
foo = PersistentList(foo)
self.assertRaises(Unauthorized, guarded_getitem, foo, 0)
self.assertRaises(Unauthorized,
SafeFormatter('{0[0]}').safe_format, foo)
# though we could allow access if we want:
foo.__allow_access_to_unprotected_subobjects__ = 1
self.assertEqual(guarded_getitem(foo, 0), 'bar')
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar')
# For non-basic items we want run checks too.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(
SafeFormatter('{0[0]}').safe_format(folder), '<Item public1>')
self.assertEqual(
SafeFormatter('{0[2]}').safe_format(folder), '<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter('{0[1]}').safe_format, folder)
def test_prevents_bad_string_formatting_key(self):
from AccessControl.safe_formatter import SafeFormatter
from AccessControl.ZopeGuards import guarded_getitem
from persistent.list import PersistentList
# Accessing basic Python types in a basic Python list is fine.
foo = list(['bar'])
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo),
'bar')
self.assertEqual(guarded_getitem(foo, 0), 'bar')
# For basic Python types in a non-basic list, we guard the access.
foo = PersistentList(foo)
self.assertRaises(Unauthorized, guarded_getitem, foo, 0)
self.assertRaises(Unauthorized,
SafeFormatter('{0[0]}').safe_format, foo)
# though we could allow access if we want:
foo.__allow_access_to_unprotected_subobjects__ = 1
self.assertEqual(guarded_getitem(foo, 0), 'bar')
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo),
'bar')
# For non-basic items we want run checks too.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(SafeFormatter('{0[0]}').safe_format(folder),
'<Item public1>')
self.assertEqual(SafeFormatter('{0[2]}').safe_format(folder),
'<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter('{0[1]}').safe_format,
folder)
def __getitem__(self,index):
data=self._data
try: s=self._seq
except AttributeError: return data[index]
i=index
if i < 0: i=len(self)+i
if i < 0: raise IndexError, index
ind=len(data)
if i < ind: return data[i]
ind=ind-1
test=self._test
e=self._eindex
skip = self._skip
while i > ind:
e = e + 1
try:
try: v = guarded_getitem(s, e)
except Unauthorized, vv:
if skip is None:
self._eindex = e
msg = '(item %s): %s' % (index, vv)
raise Unauthorized, msg, sys.exc_info()[2]
skip_this = 1
else:
skip_this = 0
def __getitem__(self, index):
data = self._data
try:
s = self._seq
except AttributeError:
return data[index]
i = index
if i < 0: i = len(self) + i
if i < 0: raise IndexError, index
ind = len(data)
if i < ind: return data[i]
ind = ind - 1
test = self._test
e = self._eindex
skip = self._skip
while i > ind:
e = e + 1
try:
try:
v = guarded_getitem(s, e)
except Unauthorized, vv:
if skip is None:
self._eindex = e
msg = '(item %s): %s' % (index, vv)
raise Unauthorized, msg, sys.exc_info()[2]
skip_this = 1
else:
skip_this = 0
def get_field(self, field_name, args, kwargs):
"""Get the field value using guarded methods."""
first, rest = formatter_field_name_split(field_name)
obj = self.get_value(first, args, kwargs)
# loop through the rest of the field_name, doing
# getattr or getitem as needed
for is_attr, i in rest:
if is_attr:
obj = guarded_getattr(obj, i)
else:
obj = guarded_getitem(obj, i)
return obj, first
def get_field(self, field_name, args, kwargs):
"""Get the field value using guarded methods."""
first, rest = formatter_field_name_split(field_name)
obj = self.get_value(first, args, kwargs)
# loop through the rest of the field_name, doing
# getattr or getitem as needed
for is_attr, i in rest:
if is_attr:
obj = guarded_getattr(obj, i)
else:
obj = guarded_getitem(obj, i)
return obj, first
def __getitem__(self, index):
data = self._data
try:
s = self._seq
except AttributeError:
return data[index]
i = index
if i < 0:
i = len(self) + i
if i < 0:
raise IndexError(index)
ind = len(data)
if i < ind:
return data[i]
ind = ind - 1
test = self._test
e = self._eindex
skip = self._skip
while i > ind:
e = e + 1
try:
try:
v = guarded_getitem(s, e)
except Unauthorized as vv:
if skip is None:
self._eindex = e
msg = '(item %s): %s' % (index, vv)
raise Unauthorized(msg)
skip_this = 1
else:
skip_this = 0
except IndexError:
del self._test
del self._seq
del self._eindex
raise IndexError(index)
if skip_this:
continue
if skip and not getSecurityManager().checkPermission(skip, v):
continue
if test is None or test(v):
data.append(v)
ind = ind + 1
self._eindex = e
return data[i]
def __getitem__(self, index):
data = self._data
try:
s = self._seq
except AttributeError:
return data[index]
i = index
if i < 0:
i = len(self) + i
if i < 0:
raise IndexError(index)
ind = len(data)
if i < ind:
return data[i]
ind = ind - 1
test = self._test
e = self._eindex
skip = self._skip
while i > ind:
e = e + 1
try:
try:
v = guarded_getitem(s, e)
except Unauthorized as vv:
if skip is None:
self._eindex = e
msg = '(item %s): %s' % (index, vv)
raise Unauthorized(msg)
skip_this = 1
else:
skip_this = 0
except IndexError:
del self._test
del self._seq
del self._eindex
raise IndexError(index)
if skip_this:
continue
if skip and not getSecurityManager().checkPermission(skip, v):
continue
if test is None or test(v):
data.append(v)
ind = ind + 1
self._eindex = e
return data[i]
def guarded_getitem(self, ob, index):
return guarded_getitem(ob, index)
def guarded_getitem(self, ob, index):
return guarded_getitem(ob, index)