def test_should_be_tainted(self): from AccessControl.tainted import should_be_tainted self.assertFalse(should_be_tainted('string')) self.assertTrue(should_be_tainted('<string')) self.assertFalse(should_be_tainted(b'string')) self.assertTrue(should_be_tainted(b'<string')) self.assertFalse(should_be_tainted(b'string'[0])) self.assertTrue(should_be_tainted(b'<string'[0]))
def _valueIsOrHoldsTainted(self, val): # Recursively searches a structure for a TaintedString and returns 1 # when one is found. # Also raises an Assertion if a string which *should* have been # tainted is found, or when a tainted string is not deemed dangerous. from ZPublisher.HTTPRequest import record from AccessControl.tainted import TaintedString retval = 0 if isinstance(val, TaintedString): self.assertTrue( should_be_tainted(val._value), "%r is not dangerous, no taint required." % val) retval = 1 elif isinstance(val, record): for attr, value in list(val.__dict__.items()): rval = self._valueIsOrHoldsTainted(attr) if rval: retval = 1 rval = self._valueIsOrHoldsTainted(value) if rval: retval = 1 elif type(val) in (list, tuple): for entry in val: rval = self._valueIsOrHoldsTainted(entry) if rval: retval = 1 elif type(val) in (str, unicode): self.assertFalse( should_be_tainted(val), "'%s' is dangerous and should have been tainted." % val) return retval