diff options
author | Ian Bicking <ianb@colorstudy.com> | 2010-09-14 10:59:50 -0500 |
---|---|---|
committer | Ian Bicking <ianb@colorstudy.com> | 2010-09-14 10:59:50 -0500 |
commit | 13af02868e92e1fca24985c1b341aab23f9bfc58 (patch) | |
tree | 14e4dff4770c98d112588ef5edf6b6eccb9b2bc6 | |
parent | f47b88b10ff354e1df8692f45c0941377691f549 (diff) | |
parent | 2f43ca51972a0cfa19b8dfedb38aa1eca3d21d79 (diff) | |
download | paste-13af02868e92e1fca24985c1b341aab23f9bfc58.tar.gz |
Automated merge with ssh://bitbucket.org/ianb/paste
-rw-r--r-- | docs/news.txt | 3 | ||||
-rw-r--r-- | paste/fixture.py | 16 | ||||
-rw-r--r-- | paste/httpexceptions.py | 2 | ||||
-rwxr-xr-x | paste/httpserver.py | 9 | ||||
-rw-r--r-- | paste/request.py | 12 | ||||
-rw-r--r-- | paste/util/quoting.py | 9 | ||||
-rw-r--r-- | tests/test_request.py | 2 | ||||
-rw-r--r-- | tests/test_urlmap.py | 2 |
8 files changed, 37 insertions, 18 deletions
diff --git a/docs/news.txt b/docs/news.txt index 38231d3..9c58f63 100644 --- a/docs/news.txt +++ b/docs/news.txt @@ -30,7 +30,8 @@ tip :class:`paste.urlparser.StaticURLParser` and :class:`paste.urlmap.URLMap`. If you ask for a path with ``/--><script>...`` that will be inserted in the error page and can - execute Javascript. Reported by Tim Wintle. + execute Javascript. Reported by Tim Wintle with further details + from Georg-Christian Pranschke. * Replaced :func:`paste.util.mimeparse.desired_match` diff --git a/paste/fixture.py b/paste/fixture.py index 08fab61..242a1de 100644 --- a/paste/fixture.py +++ b/paste/fixture.py @@ -210,7 +210,7 @@ class TestApp(object): def _gen_request(self, method, url, params='', headers=None, extra_environ=None, status=None, upload_files=None, expect_errors=False): """ - Do a generic request. + Do a generic request. """ if headers is None: headers = {} @@ -293,7 +293,7 @@ class TestApp(object): extra_environ=extra_environ,status=status, upload_files=None, expect_errors=expect_errors) - + def _set_headers(self, headers, environ): @@ -646,7 +646,7 @@ class TestResponse(object): tag='a', href_attr='href', href_extract=None, content=description, - id=linkid, + id=linkid, href_pattern=href, html_pattern=anchor, index=index, verbose=verbose) @@ -1087,6 +1087,8 @@ class Form(object): Any extra keyword arguments are passed to the ``.get()`` or ``.post()`` method. + + Returns a response object. """ fields = self.submit_fields(name, index=index) return self.response.goto(self.action, method=self.method, @@ -1246,10 +1248,10 @@ class Text(Field): """ def __init__(self, form, tag, name, pos, value='', id=None, **attrs): - #text fields default to empty string + #text fields default to empty string Field.__init__(self, form, tag, name, pos, value=value, id=id, **attrs) - + Field.classes['text'] = Text class Textarea(Text): @@ -1270,7 +1272,7 @@ class Submit(Field): """ Field representing ``<input type="submit">`` and ``<button>`` """ - + settable = False def value__get(self): @@ -1339,7 +1341,7 @@ class TestFileEnvironment(object): if script_path is None: if sys.platform == 'win32': script_path = environ.get('PATH', '').split(';') - else: + else: script_path = environ.get('PATH', '').split(':') self.script_path = script_path if cwd is None: diff --git a/paste/httpexceptions.py b/paste/httpexceptions.py index 208d5cf..ede4f7e 100644 --- a/paste/httpexceptions.py +++ b/paste/httpexceptions.py @@ -212,7 +212,7 @@ class HTTPException(Exception): def plain(self, environ): """ text/plain representation of the exception """ - body = self.make_body(environ, strip_html(self.template), comment_quote) + body = self.make_body(environ, strip_html(self.template), no_quote, comment_quote) return ('%s %s\r\n%s\r\n' % (self.code, self.title, body)) def html(self, environ): diff --git a/paste/httpserver.py b/paste/httpserver.py index 007f8d7..7865fce 100755 --- a/paste/httpserver.py +++ b/paste/httpserver.py @@ -183,7 +183,7 @@ class WSGIHandlerMixin: if endslash and path != '/': # Put the slash back... path += '/' - (server_name, server_port) = self.server.server_address + (server_name, server_port) = self.server.server_address[:2] rfile = self.rfile if 'HTTP/1.1' == self.protocol_version and \ @@ -1243,7 +1243,7 @@ def serve(application, host=None, port=None, handler=None, ssl_pem=None, threadpool. See paste.httpserver.ThreadPool for specific options (``threadpool_workers`` is a specific option that can also go here). - + ``request_queue_size`` The 'backlog' argument to socket.listen(); specifies the @@ -1300,7 +1300,7 @@ def serve(application, host=None, port=None, handler=None, ssl_pem=None, if converters.asbool(start_loop): protocol = is_ssl and 'https' or 'http' - host, port = server.server_address + host, port = server.server_address[:2] if host == '0.0.0.0': print 'serving on 0.0.0.0:%s view at %s://127.0.0.1:%s' % \ (port, protocol, port) @@ -1400,7 +1400,7 @@ server_runner.__doc__ = (serve.__doc__ or '') + """ When threads are killed or the process restarted, this email address will be contacted (using an SMTP server on localhost). - + """ @@ -1409,4 +1409,3 @@ if __name__ == '__main__': #serve(dump_environ, ssl_pem="test.pem") serve(dump_environ, server_version="Wombles/1.0", protocol_version="HTTP/1.1", port="8888") - diff --git a/paste/request.py b/paste/request.py index 1a1d6c5..9af494d 100644 --- a/paste/request.py +++ b/paste/request.py @@ -18,7 +18,7 @@ environment to solve common requirements. """ import cgi -from Cookie import SimpleCookie +from Cookie import SimpleCookie, CookieError from StringIO import StringIO import urlparse import urllib @@ -45,7 +45,10 @@ def get_cookies(environ): if check_header == header: return cookies cookies = SimpleCookie() - cookies.load(header) + try: + cookies.load(header) + except CookieError: + pass environ['paste.cookies'] = (cookies, header) return cookies @@ -65,7 +68,10 @@ def get_cookie_dict(environ): if check_header == header: return cookies cookies = SimpleCookie() - cookies.load(header) + try: + cookies.load(header) + except CookieError: + pass result = {} for name in cookies: result[name] = cookies[name].value diff --git a/paste/util/quoting.py b/paste/util/quoting.py index 582cc40..6184752 100644 --- a/paste/util/quoting.py +++ b/paste/util/quoting.py @@ -77,11 +77,18 @@ def no_quote(s): return s _comment_quote_re = re.compile(r'\-\s*\>') +# Everything but \r, \n, \t: +_bad_chars_re = re.compile('[\x00-\x08\x0b-\x0c\x0e-\x1f]') def comment_quote(s): """ Quote that makes sure text can't escape a comment """ - return _comment_quote_re.sub('->', str(s)) + comment = str(s) + #comment = _bad_chars_re.sub('', comment) + #print 'in ', repr(str(s)) + #print 'out', repr(comment) + comment = _comment_quote_re.sub('->', comment) + return comment url_quote = urllib.quote url_unquote = urllib.unquote diff --git a/tests/test_request.py b/tests/test_request.py index c2cf940..3d882ed 100644 --- a/tests/test_request.py +++ b/tests/test_request.py @@ -58,3 +58,5 @@ def test_bad_cookie(): assert get_cookie_dict(env) == {} env['HTTP_COOKIE'] = '=foo' assert get_cookie_dict(env) == {} + env['HTTP_COOKIE'] = '?=' + assert get_cookie_dict(env) == {} diff --git a/tests/test_urlmap.py b/tests/test_urlmap.py index 60b66eb..9f77ca2 100644 --- a/tests/test_urlmap.py +++ b/tests/test_urlmap.py @@ -45,3 +45,5 @@ def test_404(): app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'}) res = app.get("/-->%0D<script>alert('xss')</script>", status=404) assert '--><script' not in res.body + res = app.get("/--%01><script>", status=404) + assert '--\x01><script>' not in res.body |