Mercurial > p > roundup > code

annotate test/test_pythonexpr.py @ 8356:63390dcfcfe9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug: fix template use of structure with untrusted data Looks like an xSS bug with an early version of the template that was fixed in the code but never in the deployed tracker. It has been a while since this particular construct has been in the classic template which is the base for the tracker. This has been fixed on the deployed tracker as well. reported by 4bug of ChaMd5 Security Team H1 Group
author John Rouillard <rouilj@ieee.org>
date Tue, 08 Jul 2025 10:23:09 -0400
parents e70885fe72a4
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5676
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 """
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 In Python 3, sometimes TAL "python:" expressions that refer to
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 variables but not all variables are recognized. That is in Python 2.7
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4 all variables used in a TAL "python:" expression are recognized as
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5 references. In Python 3.5 (perhaps earlier), some TAL "python:"
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 expressions refer to variables but the reference generates an error
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 like this:
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 <class 'NameError'>: name 'some_tal_variable' is not defined
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 even when the variable is defined. Output after this message lists the
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 variable and its value.
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13 """
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 import unittest
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 from roundup.cgi.PageTemplates.PythonExpr import PythonExpr as PythonExprClass
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19 class ExprTest(unittest.TestCase):
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
20 def testExpr(self):
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21 expr = '[x for x in context.assignedto ' \
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22 'if x.realname not in user_realnames]'
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 pe = PythonExprClass('test', expr, None)
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
24 # Looking at the expression, only context and user_realnames are
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25 # external variables. The names assignedto and realname are members,
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
26 # and x is local.
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27 required_names = ['context', 'user_realnames']
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 got_names = pe._f_varnames
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
29 for required_name in required_names:
e70885fe72a4 issue2551026: template variable not defined even though it is.
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 self.assertIn(required_name, got_names)
Roundup Issue Tracker: http://roundup-tracker.org/