[Erp5-report] r43237 kazuhiko - /erp5/trunk/products/ZSQLCatalog/ZSQLCatalog.py

nobody at svn.erp5.org nobody at svn.erp5.org
Wed Feb 9 16:02:28 CET 2011 

Author: kazuhiko
Date: Wed Feb  9 16:02:27 2011
New Revision: 43237

URL: http://svn.erp5.org?rev=43237&view=rev
Log:
Backport changes in http://plone.org/products/plone-hotfix/releases/CVE-2011-0720/ .

Modified:
    erp5/trunk/products/ZSQLCatalog/ZSQLCatalog.py

Modified: erp5/trunk/products/ZSQLCatalog/ZSQLCatalog.py
URL: http://svn.erp5.org/erp5/trunk/products/ZSQLCatalog/ZSQLCatalog.py?rev=43237&r1=43236&r2=43237&view=diff
==============================================================================
--- erp5/trunk/products/ZSQLCatalog/ZSQLCatalog.py [utf8] (original)
+++ erp5/trunk/products/ZSQLCatalog/ZSQLCatalog.py [utf8] Wed Feb  9 16:02:27 2011
@@ -964,14 +964,16 @@ class ZCatalog(Folder, Persistent, Impli
     return obj_list
 
   def getMetadataForUid(self, rid, sql_catalog_id=None):
-    """return the correct metadata for the cataloged uid"""
+    # !!! do not use docstring here (CVE-2011-0720).
+    # return the correct metadata for the cataloged uid
     catalog = self.getSQLCatalog(sql_catalog_id)
     if catalog is not None:
       return catalog.getMetadataForUid(int(rid))
     return {}
 
   def getIndexDataForUid(self, rid, sql_catalog_id=None):
-    """return the current index contents for the specific uid"""
+    # !!! do not use docstring here (CVE-2011-0720).
+    # return the current index contents for the specific uid
     catalog = self.getSQLCatalog(sql_catalog_id)
     if catalog is not None:
       return catalog.getIndexDataForUid(rid)
@@ -1218,12 +1220,11 @@ class ZCatalog(Folder, Persistent, Impli
       pass
 
   def resolve_path(self, path):
-    """
-    Attempt to resolve a url into an object in the Zope
-    namespace. The url may be absolute or a catalog path
-    style url. If no object is found, None is returned.
-    No exceptions are raised.
-    """
+    # !!! do not use docstring here (CVE-2011-0720).
+    # Attempt to resolve a url into an object in the Zope
+    # namespace. The url may be absolute or a catalog path
+    # style url. If no object is found, None is returned.
+    # No exceptions are raised.
     try: 
       return self.unrestrictedTraverse(path)
     except ConflictError:

More information about the Erp5-report mailing list