diff options
| author | Chris McDonough <chrism@plope.com> | 2011-07-16 16:47:59 -0400 |
|---|---|---|
| committer | Chris McDonough <chrism@plope.com> | 2011-07-16 16:47:59 -0400 |
| commit | 4b3ba9a09ba5491b6752315a9c68189f3a9d1780 (patch) | |
| tree | 6d050ad0d9b392d8889481c45babb8bcb0a441d5 | |
| parent | 8a8724de56c8dcce763fdb5630c77cb69a149572 (diff) | |
| download | pyramid-4b3ba9a09ba5491b6752315a9c68189f3a9d1780.tar.gz pyramid-4b3ba9a09ba5491b6752315a9c68189f3a9d1780.tar.bz2 pyramid-4b3ba9a09ba5491b6752315a9c68189f3a9d1780.zip | |
- Omit custom environ variables when rendering a custom exception template in
``pyramid.httpexceptions.WSGIHTTPException._set_default_attrs``;
stringifying thse may trigger code that should not be executed; see
https://github.com/Pylons/pyramid/issues/239
Closes #239
| -rw-r--r-- | CHANGES.txt | 8 | ||||
| -rw-r--r-- | pyramid/httpexceptions.py | 5 | ||||
| -rw-r--r-- | pyramid/tests/test_httpexceptions.py | 11 |
3 files changed, 24 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt index afbc12747..e8fce9c8d 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -7,6 +7,14 @@ Documentation - Added a section entitled "Writing a Script" to the "Command-Line Pyramid" chapter. +Bug Fixes +--------- + +- Omit custom environ variables when rendering a custom exception template in + ``pyramid.httpexceptions.WSGIHTTPException._set_default_attrs``; + stringifying thse may trigger code that should not be executed; see + https://github.com/Pylons/pyramid/issues/239 + 1.1b3 (2011-07-15) ================== diff --git a/pyramid/httpexceptions.py b/pyramid/httpexceptions.py index 44b854929..4d23db8d2 100644 --- a/pyramid/httpexceptions.py +++ b/pyramid/httpexceptions.py @@ -236,6 +236,11 @@ ${body}''') if WSGIHTTPException.body_template_obj is not body_tmpl: # Custom template; add headers to args for k, v in environ.items(): + if (not k.startswith('wsgi.')) and ('.' in k): + # omit custom environ variables, stringifying them may + # trigger code that should not be executed here; see + # https://github.com/Pylons/pyramid/issues/239 + continue args[k] = escape(v) for k, v in self.headers.items(): args[k.lower()] = escape(v) diff --git a/pyramid/tests/test_httpexceptions.py b/pyramid/tests/test_httpexceptions.py index 203d442f7..7db071d03 100644 --- a/pyramid/tests/test_httpexceptions.py +++ b/pyramid/tests/test_httpexceptions.py @@ -232,6 +232,17 @@ class TestWSGIHTTPException(unittest.TestCase): body = list(exc(environ, start_response))[0] self.assertEqual(body, '200 OK\n\nGET') + def test_custom_body_template_with_custom_variable_doesnt_choke(self): + cls = self._getTargetSubclass() + exc = cls(body_template='${REQUEST_METHOD}') + environ = _makeEnviron() + class Choke(object): + def __str__(self): raise ValueError + environ['gardentheory.user'] = Choke() + start_response = DummyStartResponse() + body = list(exc(environ, start_response))[0] + self.assertEqual(body, '200 OK\n\nGET') + def test_body_template_unicode(self): cls = self._getTargetSubclass() la = unicode('/La Pe\xc3\xb1a', 'utf-8') |