publisher fixes and docs fixes

Doc/modpython4.tex

@@ -893,6 +893,12 @@ \subsection{FieldStorage class\label{pyapi-util-fstor}}
 exist, such as for a \code{<select>} HTML form element.
 \end{itemize}
 
+Note that unlike the standard library \module{cgi} module
+\class{FieldStorage} class, a
+\class{Field} object is returned \emph{only} when it is a file
+upload. This means that you do not need to use the \member{.value}
+attribute to access values of fields in most cases.
+
 In addition to standard mapping object methods, \class{FieldStorage} objects
 have the following attributes:
 

Doc/modpython6.tex

@@ -53,12 +53,23 @@ \subsubsection{Traversal\label{hand-pub-alg-trav}}
 path, one element at a time from left to right, mapping the elements
 to Python object within the module.
 
-The traversal will stop and \constant{HTTP_FORBIDDEN} will be returned to
-the client if any of the traversed object's names begin with
-an underscore (\samp{\_}). Use underscores to protect objects that should
-not be accessible from the web. 
+The traversal will stop and \constant{HTTP_NOTFOUND} will be returned to
+the client if:
 
-If an oject in the path could not be found, \constant{HTTP_NOT_FOUND}
+\begin{itemize}
+
+\item
+Any of the traversed object's names begin with an underscore
+(\samp{\_}). Use underscores to protect objects that should not be
+accessible from the web.
+
+\item
+A module is encountered. Published objects cannot be modules for
+security reasons.
+
+\end{itemize}
+
+If an object in the path could not be found, \constant{HTTP_NOT_FOUND}
 is returned to the client.
 
 \subsubsection{Argument Matching and Invocation\label{hand-pub-alg-args}}
@@ -116,6 +127,18 @@ \subsubsection{Authentication\label{hand-pub-alg-auth}}
 \code{mod_auth} or with a mod_python \citetitle[dir-handlers-auh.html]
 {PythonAuthenHandler} handler.
 
+\subsection{Form Data}
+
+In the process of matching arguments, the Publisher handler creates an
+instance of \citetitle[pyapi-util-fstor.html]{FieldStorage}
+class. A reference to this instance is stored in an attribute \member{form}
+of the \class{Request} object.
+
+Since a \class{FieldStorage} can only be instantiated once per
+request, one must not attept to instantiate \class{FieldStorage} when
+using the Publisher handler and should use
+\class{Request.form} instead.
+
 \section{CGI Handler\label{hand-cgi}}
 
 \index{CGI}

NEWS

@@ -1,3 +1,7 @@
+Jan 18 2000 -	Documented req.form. Fixed a security problem with the
+		Publisher handler - it now does not allow modules to be
+		published, so a user can't access test.os.renames, etc.
+
 Dec 18 2000 -	2.7 had a typo in it + win32 wants types initialized
 		separately like I thought. Time for 2.7.1.
 

lib/python/mod_python/publisher.py

@@ -41,7 +41,7 @@
  # OF THE POSSIBILITY OF SUCH DAMAGE.
  # ====================================================================
  #
- # $Id: publisher.py,v 1.5 2000/12/14 19:19:58 gtrubetskoy Exp $
+ # $Id: publisher.py,v 1.6 2001/01/18 22:23:49 gtrubetskoy Exp $
 
 """
   This handler is conceputally similar to Zope's ZPublisher, except
@@ -90,7 +90,7 @@ def handler(req):
 
     # if any part of the path begins with "_", abort
     if func_path[0] == '_' or string.count(func_path, "._"):
-        raise apache.SERVER_RETURN, apache.HTTP_FORBIDDEN
+        raise apache.SERVER_RETURN, apache.HTTP_NOTFOUND
 
     # process input, if any
     fs = util.FieldStorage(req, keep_blank_values=1)
@@ -246,6 +246,11 @@ def resolve_object(req, obj, object_str, auth_realm=None):
 
     for obj_str in  string.split(object_str, '.'):
         obj = getattr(obj, obj_str)
+
+        # object cannot be a module
+        if type(obj) == type(apache):
+            raise apache.SERVER_RETURN, apache.HTTP_NOTFOUND
+
         auth_realm = process_auth(req, obj, auth_realm)
 
     return obj

src/include/mpversion.h

@@ -1,6 +1,6 @@
 #define MPV_MAJOR 2
 #define MPV_MINOR 7
-#define MPV_PATCH 1
+#define MPV_PATCH 2
 #define MPV_BUILD 0
 
-#define MPV_STRING "2.7.1"
+#define MPV_STRING "2.7.2"