Mercurial > p > roundup > code
view test/test_pythonexpr.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | e70885fe72a4 |
| children |
line wrap: on
line source
""" In Python 3, sometimes TAL "python:" expressions that refer to variables but not all variables are recognized. That is in Python 2.7 all variables used in a TAL "python:" expression are recognized as references. In Python 3.5 (perhaps earlier), some TAL "python:" expressions refer to variables but the reference generates an error like this: <class 'NameError'>: name 'some_tal_variable' is not defined even when the variable is defined. Output after this message lists the variable and its value. """ import unittest from roundup.cgi.PageTemplates.PythonExpr import PythonExpr as PythonExprClass class ExprTest(unittest.TestCase): def testExpr(self): expr = '[x for x in context.assignedto ' \ 'if x.realname not in user_realnames]' pe = PythonExprClass('test', expr, None) # Looking at the expression, only context and user_realnames are # external variables. The names assignedto and realname are members, # and x is local. required_names = ['context', 'user_realnames'] got_names = pe._f_varnames for required_name in required_names: self.assertIn(required_name, got_names)