def test_positional_argument_regression(self):
"""Testing fix of http://bugs.python.org/issue13598 issue."""
from AccessControl.safe_formatter import SafeFormatter
self.assertEqual(
SafeFormatter('{} {}').safe_format('foo', 'bar'), # NOQA: P103
'foo bar')
self.assertEqual(
SafeFormatter('{0} {1}').safe_format('foo', 'bar'), 'foo bar')
self.assertEqual(
SafeFormatter('{1} {0}').safe_format('foo', 'bar'), 'bar foo')
def test_prevents_bad_unicode_formatting_key(self):
from AccessControl.safe_formatter import SafeFormatter
# Accessing basic Python types in a basic Python list is fine.
foo = list(['bar'])
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), u'bar')
# But for non-basic items or non-basic lists, we want run checks.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(
SafeFormatter(u'{0[0]}').safe_format(folder), '<Item public1>')
self.assertEqual(
SafeFormatter(u'{0[2]}').safe_format(folder), '<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter(u'{0[1]}').safe_format, folder)
def _safe_format(inst, method):
"""Use our SafeFormatter that uses guarded_getattr for attribute access.
This is for use with AccessControl.allow_type,
as we do in CMFPlone/__init__.py.
"""
return SafeFormatter(inst).safe_format
def __call__(self):
registry = self.registry()
portal_state = getMultiAdapter((self.context, self.request),
name='plone_portal_state')
site_url = portal_state.portal_url()
result2 = ""
result2 += "'@sitePath': '\"%s\"',\n" % site_url
result2 += "'@isPlone': true,\n"
result2 += "'@isMockup': false,\n"
result2 += "'@staticPath: '\"%s/++plone++static\"',\n" % site_url
result2 += "'@barcelonetaPath: '\"%s/++theme++barceloneta\"',\n" % site_url
less_vars_params = {
'site_url': site_url,
}
# Storing variables to use them on further vars
for name, value in registry.items():
less_vars_params[name] = value
for name, value in registry.items():
t = SafeFormatter(value).safe_format(**less_vars_params)
result2 += f"'@{name}': \"{t}\",\n"
self.request.response.setHeader("Content-Type",
"application/javascript")
return lessmodify % (result2)
def test_positional_argument_regression(self):
"""
to test http://bugs.python.org/issue13598 issue
"""
from AccessControl.safe_formatter import SafeFormatter
try:
self.assertEqual(
SafeFormatter('{} {}').safe_format('foo', 'bar'), 'foo bar')
except ValueError:
# On Python 2.6 you get:
# ValueError: zero length field name in format
pass
self.assertEqual(
SafeFormatter('{0} {1}').safe_format('foo', 'bar'), 'foo bar')
self.assertEqual(
SafeFormatter('{1} {0}').safe_format('foo', 'bar'), 'bar foo')
def test_prevents_bad_string_formatting_item(self):
from AccessControl.safe_formatter import SafeFormatter
# Accessing basic Python types in a basic Python dict is fine.
foo = {'bar': 'Can you see me?'}
self.assertEqual(
SafeFormatter('{0[bar]}').safe_format(foo), 'Can you see me?')
# But for non-basic items or non-basic lists, we want run checks.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(
SafeFormatter('{0[public1]}').safe_format(folder),
'<Item public1>')
self.assertEqual(
SafeFormatter('{0[public2]}').safe_format(folder),
'<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter('{0[private]}').safe_format, folder)
def test_prevents_bad_string_formatting_attribute(self):
from AccessControl.safe_formatter import SafeFormatter
# Accessing basic Python attributes on a basic Python type is fine.
self.assertTrue(
SafeFormatter('{0.upper}').safe_format('foo').startswith(
'<built-in method upper'))
# unless the name is protected
self.assertRaises(Unauthorized,
SafeFormatter('{0.__class__}').safe_format, 'foo')
# But for non-basic items or non-basic lists, we want run checks.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(
SafeFormatter('{0.public1}').safe_format(folder), '<Item public1>')
self.assertEqual(
SafeFormatter('{0.public2}').safe_format(folder), '<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter('{0.private}').safe_format, folder)
def test_prevents_bad_unicode_formatting_attribute(self):
from AccessControl.safe_formatter import SafeFormatter
# Accessing basic Python attributes on a basic Python type is fine.
formatted = SafeFormatter(u'{0.upper}').safe_format('foo')
self.assertTrue(formatted.startswith('<built-in method upper'))
# unless the name is protected
self.assertRaises(Unauthorized,
SafeFormatter(u'{0.__class__}').safe_format, 'foo')
# But for non-basic items or non-basic lists, we want run checks.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(SafeFormatter(u'{0.public1}').safe_format(folder),
'<Item public1>')
self.assertEqual(SafeFormatter(u'{0.public2}').safe_format(folder),
'<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter(u'{0.private}').safe_format,
folder)
def test_prevents_bad_string_formatting_key(self):
from AccessControl.safe_formatter import SafeFormatter
from AccessControl.ZopeGuards import guarded_getitem
from persistent.list import PersistentList
# Accessing basic Python types in a basic Python list is fine.
foo = list(['bar'])
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar')
self.assertEqual(guarded_getitem(foo, 0), 'bar')
# For basic Python types in a non-basic list, we guard the access.
foo = PersistentList(foo)
self.assertRaises(Unauthorized, guarded_getitem, foo, 0)
self.assertRaises(Unauthorized,
SafeFormatter('{0[0]}').safe_format, foo)
# though we could allow access if we want:
foo.__allow_access_to_unprotected_subobjects__ = 1
self.assertEqual(guarded_getitem(foo, 0), 'bar')
self.assertEqual(SafeFormatter('{0[0]}').safe_format(foo), 'bar')
# For non-basic items we want run checks too.
folder = self._create_folder_with_mixed_contents()
# We can get the public items just fine:
self.assertEqual(
SafeFormatter('{0[0]}').safe_format(folder), '<Item public1>')
self.assertEqual(
SafeFormatter('{0[2]}').safe_format(folder), '<Item public2>')
# But not the private item:
self.assertRaises(Unauthorized,
SafeFormatter('{0[1]}').safe_format, folder)
def __call__(self):
registry = self.registry()
portal_state = getMultiAdapter((self.context, self.request),
name='plone_portal_state')
site_url = portal_state.portal_url()
result = ""
result += "sitePath: '\"%s\"',\n" % site_url
result += "isPlone: true,\n"
result += "isMockup: false,\n"
result += "staticPath: '\"%s/++plone++static\"',\n" % site_url
result += "barcelonetaPath: '\"%s/++theme++barceloneta\"',\n" % site_url
less_vars_params = {
'site_url': site_url,
}
# Storing variables to use them on further vars
for name, value in registry.items():
less_vars_params[name] = value
for name, value in registry.items():
t = SafeFormatter(value).safe_format(**less_vars_params)
result += f"'{name}': \"{t}\",\n"
# Adding all plone.resource entries css values as less vars
for name, value in self.resource_registry().items():
for css in value.css:
url = urlparse(css)
if url.netloc == '':
# Local
src = f"{site_url}/{css}"
else:
src = "%s" % (css)
# less vars can't have dots on it
result += "'{}': '\"{}\"',\n".format(name.replace('.', '_'),
src)
self.request.response.setHeader("Content-Type",
"application/javascript")
try:
debug_level = int(self.request.get('debug', 2))
except:
debug_level = 2
return lessconfig % (debug_level, result, result)