Ian Bicking avatar Ian Bicking committed 1cc2911 Merge

Automated merge with ssh://bitbucket.org/ianb/paste

Comments (0)

Files changed (8)

   :class:`paste.urlparser.StaticURLParser` and
   :class:`paste.urlmap.URLMap`.  If you ask for a path with
   ``/--><script>...`` that will be inserted in the error page and can
-  execute Javascript.  Reported by Tim Wintle.
+  execute Javascript.  Reported by Tim Wintle with further details
+  from Georg-Christian Pranschke.
 
 * Replaced :func:`paste.util.mimeparse.desired_match`
 
     def _gen_request(self, method, url, params='', headers=None, extra_environ=None,
              status=None, upload_files=None, expect_errors=False):
         """
-        Do a generic request.  
+        Do a generic request.
         """
         if headers is None:
             headers = {}
                                  extra_environ=extra_environ,status=status,
                                  upload_files=None, expect_errors=expect_errors)
 
-    
+
 
 
     def _set_headers(self, headers, environ):
             tag='a', href_attr='href',
             href_extract=None,
             content=description,
-            id=linkid, 
+            id=linkid,
             href_pattern=href,
             html_pattern=anchor,
             index=index, verbose=verbose)
 
         Any extra keyword arguments are passed to the ``.get()`` or
         ``.post()`` method.
+
+        Returns a response object.
         """
         fields = self.submit_fields(name, index=index)
         return self.response.goto(self.action, method=self.method,
     """
     def __init__(self, form, tag, name, pos,
                  value='', id=None, **attrs):
-        #text fields default to empty string        
+        #text fields default to empty string
         Field.__init__(self, form, tag, name, pos,
                        value=value, id=id, **attrs)
-                        
+
 Field.classes['text'] = Text
 
 class Textarea(Text):
     """
     Field representing ``<input type="submit">`` and ``<button>``
     """
-    
+
     settable = False
 
     def value__get(self):
         if script_path is None:
             if sys.platform == 'win32':
                 script_path = environ.get('PATH', '').split(';')
-            else:       
+            else:
                 script_path = environ.get('PATH', '').split(':')
         self.script_path = script_path
         if cwd is None:

paste/httpexceptions.py

 
     def plain(self, environ):
         """ text/plain representation of the exception """
-        body = self.make_body(environ, strip_html(self.template), comment_quote)
+        body = self.make_body(environ, strip_html(self.template), no_quote, comment_quote)
         return ('%s %s\r\n%s\r\n' % (self.code, self.title, body))
 
     def html(self, environ):

paste/httpserver.py

         if endslash and path != '/':
             # Put the slash back...
             path += '/'
-        (server_name, server_port) = self.server.server_address
+        (server_name, server_port) = self.server.server_address[:2]
 
         rfile = self.rfile
         if 'HTTP/1.1' == self.protocol_version and \
         threadpool.  See paste.httpserver.ThreadPool for specific
         options (``threadpool_workers`` is a specific option that can
         also go here).
-    
+
     ``request_queue_size``
 
         The 'backlog' argument to socket.listen(); specifies the
 
     if converters.asbool(start_loop):
         protocol = is_ssl and 'https' or 'http'
-        host, port = server.server_address
+        host, port = server.server_address[:2]
         if host == '0.0.0.0':
             print 'serving on 0.0.0.0:%s view at %s://127.0.0.1:%s' % \
                 (port, protocol, port)
 
         When threads are killed or the process restarted, this email
         address will be contacted (using an SMTP server on localhost).
-    
+
 """
 
 
     #serve(dump_environ, ssl_pem="test.pem")
     serve(dump_environ, server_version="Wombles/1.0",
           protocol_version="HTTP/1.1", port="8888")
-
 
 """
 import cgi
-from Cookie import SimpleCookie
+from Cookie import SimpleCookie, CookieError
 from StringIO import StringIO
 import urlparse
 import urllib
         if check_header == header:
             return cookies
     cookies = SimpleCookie()
-    cookies.load(header)
+    try:
+        cookies.load(header)
+    except CookieError:
+        pass
     environ['paste.cookies'] = (cookies, header)
     return cookies
 
         if check_header == header:
             return cookies
     cookies = SimpleCookie()
-    cookies.load(header)
+    try:
+        cookies.load(header)
+    except CookieError:
+        pass
     result = {}
     for name in cookies:
         result[name] = cookies[name].value

paste/util/quoting.py

     return s
 
 _comment_quote_re = re.compile(r'\-\s*\>')
+# Everything but \r, \n, \t:
+_bad_chars_re = re.compile('[\x00-\x08\x0b-\x0c\x0e-\x1f]')
 def comment_quote(s):
     """
     Quote that makes sure text can't escape a comment
     """
-    return _comment_quote_re.sub('-&gt', str(s))
+    comment = str(s)
+    #comment = _bad_chars_re.sub('', comment)
+    #print 'in ', repr(str(s))
+    #print 'out', repr(comment)
+    comment = _comment_quote_re.sub('-&gt;', comment)
+    return comment
 
 url_quote = urllib.quote
 url_unquote = urllib.unquote

tests/test_request.py

     assert get_cookie_dict(env) == {}
     env['HTTP_COOKIE'] = '=foo'
     assert get_cookie_dict(env) == {}
+    env['HTTP_COOKIE'] = '?='
+    assert get_cookie_dict(env) == {}

tests/test_urlmap.py

     app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'})
     res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
     assert '--><script' not in res.body
+    res = app.get("/--%01><script>", status=404)
+    assert '--\x01><script>' not in res.body
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.