Log message for revision 89727:
  Monkey patch for LP #257276
  
  This code is taken from the encodings module of Python 2.4.
  Note that this code is originally (C) CNRI and it is possibly not compatible
  with the ZPL and therefore should not live within svn.zope.org. However this
  checkin is blessed by Jim Fulton for now. The fix is no longer required with
  Python 2.5 and hopefully fixed in Python 2.4.6 release.
  
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/Products/PythonScripts/__init__.py
  U   Zope/trunk/lib/python/Products/PythonScripts/tests/testPythonScript.py

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt  2008-08-12 13:41:53 UTC (rev 89726)
+++ Zope/trunk/doc/CHANGES.txt  2008-08-12 13:51:43 UTC (rev 89727)
@@ -204,6 +204,10 @@
 
     Bugs Fixed
 
+      - Launchpad #257276: fix for possible denial-of-service attack
+        in PythonScript when passing an arbitrary module to the encode()
+        or decode() of strings.
+
       - Launchpad #257269: 'raise SystemExit' with a PythonScript could 
shutdown
         a complete Zope instance
 

Modified: Zope/trunk/lib/python/Products/PythonScripts/__init__.py
===================================================================
--- Zope/trunk/lib/python/Products/PythonScripts/__init__.py    2008-08-12 
13:41:53 UTC (rev 89726)
+++ Zope/trunk/lib/python/Products/PythonScripts/__init__.py    2008-08-12 
13:51:43 UTC (rev 89727)
@@ -61,3 +61,100 @@
     if names:
         return 'The following Scripts were recompiled:\n' + '\n'.join(names)
     return 'No Scripts were found that required recompilation.'
+
+
+# Monkey patch for LP #257276
+
+# This code is taken from the encodings module of Python 2.4.
+# Note that this code is originally (C) CNRI and it is possibly not compatible
+# with the ZPL and therefore should not live within svn.zope.org. However this
+# checkin is blessed by Jim Fulton for now. The fix is no longer required with
+# Python 2.5 and hopefully fixed in Python 2.4.6 release.
+
+
+
+def search_function(encoding):
+
+    # Cache lookup
+    entry = _cache.get(encoding, _unknown)
+    if entry is not _unknown:
+        return entry
+
+    # Import the module:
+    #
+    # First try to find an alias for the normalized encoding
+    # name and lookup the module using the aliased name, then try to
+    # lookup the module using the standard import scheme, i.e. first
+    # try in the encodings package, then at top-level.
+    #
+    norm_encoding = normalize_encoding(encoding)
+    aliased_encoding = _aliases.get(norm_encoding) or \
+                       _aliases.get(norm_encoding.replace('.', '_'))
+    if aliased_encoding is not None:
+        modnames = [aliased_encoding,
+                    norm_encoding]
+    else:
+        modnames = [norm_encoding]
+    for modname in modnames:
+
+        if not modname or '.' in modname:
+            continue
+
+        try:
+            mod = __import__(modname,
+                             globals(), locals(), _import_tail)
+            if not mod.__name__.startswith('encodings.'):
+                continue
+
+        except ImportError:
+            pass
+        else:
+            break
+    else:
+        mod = None
+
+    try:
+        getregentry = mod.getregentry
+    except AttributeError:
+        # Not a codec module
+        mod = None
+
+    if mod is None:
+        # Cache misses
+        _cache[encoding] = None
+        return None
+
+    # Now ask the module for the registry entry
+    entry = tuple(getregentry())
+    if len(entry) != 4:
+        raise CodecRegistryError,\
+              'module "%s" (%s) failed to register' % \
+              (mod.__name__, mod.__file__)
+    for obj in entry:
+        if not callable(obj):
+            raise CodecRegistryError,\
+                  'incompatible codecs in module "%s" (%s)' % \
+                  (mod.__name__, mod.__file__)
+
+    # Cache the codec registry entry
+    _cache[encoding] = entry
+
+    # Register its aliases (without overwriting previously registered
+    # aliases)
+    try:
+        codecaliases = mod.getaliases()
+    except AttributeError:
+        pass
+    else:
+        for alias in codecaliases:
+            if not _aliases.has_key(alias):
+                _aliases[alias] = modname
+
+    # Return the registry entry
+    return entry
+
+
+# MONKEY
+
+import encodings
+encodings.search_function.func_code = search_function.func_code

Modified: Zope/trunk/lib/python/Products/PythonScripts/tests/testPythonScript.py
===================================================================
--- Zope/trunk/lib/python/Products/PythonScripts/tests/testPythonScript.py      
2008-08-12 13:41:53 UTC (rev 89726)
+++ Zope/trunk/lib/python/Products/PythonScripts/tests/testPythonScript.py      
2008-08-12 13:51:43 UTC (rev 89727)
@@ -226,6 +226,9 @@
         ps = self._newPS("raise SystemExit")
         self.assertRaises(ValueError, ps)
 
+    def testEncodingTestDotTestAllLaunchpad257276(self):
+        ps = self._newPS("return 'foo'.encode('test.testall')")
+        self.assertRaises(LookupError, ps)
 
 
 class TestPythonScriptErrors(PythonScriptTestBase):

_______________________________________________
Zope-Checkins maillist  -  Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins

Reply via email to