Ticket #8153 (closed Bug: fixed)

Opened 4 years ago

Last modified 4 years ago

Adding css with id "/blah.css" or "blah//.css" breaks portal_css

Reported by: hauki Owned by: fschulze
Priority: minor Milestone: 3.1.5
Component: Infrastructure Keywords:
Cc:

Description

When a new css is added to portal_css, which starts with a "/" or is having a "" in it, portal_css/manage_workspace is broken.

Error output in event.log : 

------
2008-05-23T13:30:40 ERROR Zope.SiteErrorLog https://XXXX/blow-up-test/portal_css/manage_cssForm
Traceback (innermost last):
  Module ZPublisher.Publish, line 119, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Shared.DC.Scripts.Bindings, line 313, in __call__
  Module Shared.DC.Scripts.Bindings, line 350, in _bindAndExec
  Module Products.PageTemplates.PageTemplateFile, line 129, in _exec
  Module Products.CacheSetup.patch_cmf, line 74, in PT_pt_render
  Module Products.CacheSetup.patch_utils, line 9, in call_pattern
  Module Products.PageTemplates.PageTemplate, line 89, in pt_render
  Module zope.pagetemplate.pagetemplate, line 117, in pt_render
  Module zope.tal.talinterpreter, line 271, in __call__
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 824, in do_loop_tal
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 536, in do_optTag_tal
  Module zope.tal.talinterpreter, line 521, in do_optTag
  Module zope.tal.talinterpreter, line 516, in no_tag
  Module zope.tal.talinterpreter, line 346, in interpret
  Module zope.tal.talinterpreter, line 586, in do_setLocal_tal
  Module zope.tales.tales, line 696, in evaluate
   - URL: manage_cssForm
   - Line 176, Column 6
   - Expression: <PythonExpr path('exists:portal/%s' % stylesheet.getId())>
   - Names:
      {'container': <CSSRegistryTool at /blow-up-test/portal_css>,
       'context': <CSSRegistryTool at /blow-up-test/portal_css>,
       'default': <object object at 0xb75e8528>,
       'here': <CSSRegistryTool at /blow-up-test/portal_css>,
       'loop': {'stylesheet': <Products.PageTemplates.Expressions.PathIterator object at 0xb028526c>},
       'nothing': None,
       'options': {'args': ()},
       'repeat': <Products.PageTemplates.Expressions.SafeMapping object at 0xb015c5ac>,
       'request': <HTTPRequest, URL=https://XXX/blow-up-test/portal_css/manage_cssForm>,
       'root': <Application at >,
       'template': <PageTemplateFile at /blow-up-test/portal_css/cssconfig>,
       'user': <PropertiedUser 'root'>}
  Module Products.PageTemplates.ZRPythonExpr, line 49, in __call__
   - __traceback_info__: path('exists:portal/%s' % stylesheet.getId())
  Module PythonExpr, line 1, in <expression>
  Module zope.tales.pythonexpr, line 77, in __call__
  Module Products.PageTemplates.Expressions, line 137, in __init__
  Module zope.tales.expressions, line 167, in __init__
  Module zope.tales.tales, line 598, in compile
  Module Products.PageTemplates.Expressions, line 137, in __init__
  Module zope.tales.expressions, line 170, in __init__
  Module zope.tales.expressions, line 56, in __init__
CompilerError: Path element may not be empty in 'portal//blah.css'

A possible fix would be to check the entered id not having "" inside it or starting with "/" and raise an exception if it did : 

Products/ResourceRegistries/tools/CSSRegistry.py
@@ -198,6 +191,9 @@
                              enabled=False, cookable=True, compression='safe',
                              cacheable=True, REQUEST=None):
         """Register a stylesheet from a TTW request."""
+        if id[0] == "/" or "//" in id :
+            raise ValueError,'Invalid resource id %s' % (id)
+
         self.registerStylesheet(id, expression, media, rel, title,
                                 rendering, enabled, cookable, compression, cacheable)

Affects (at least) Plone 3.1.1 & 3.0.6

Change History

comment:1 Changed 4 years ago by hauki

  • Component changed from Unknown to Infrastructure

comment:2 Changed 4 years ago by hannosch

  • Owner changed from somebody to fschulze

comment:3 Changed 4 years ago by dunlapm

So, this bug is basically because exists: in TAL will explode horrifically if the path to the thing it is testing for isn't a "normal" path, as in, it doesn't end with a /, and doesn't have a double anywhere in it. Any of the following will fail to allow the page to render:

  • blah.css/
  • /blah.css
  • blah.css

However, unit tests can't prove this bug because it's an error with the template for the registry in the ZMI, not with any of the python code. I'm working on a zope.browser test to show it, but I'm new to writing tests.

comment:4 Changed 4 years ago by dunlapm

  • Status changed from new to closed
  • Resolution set to fixed

(In [21697]) Fixed error where non-traversable resources could be registered. This closes #8153.

Note: See TracTickets for help on using tickets.