Re: [Zope] Zope and security vulnerability: 20121106
We are running Zope 2.13.10. (So this may not be too helpful.) We are testing the hotfix. This is the output in our event log. 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied setHeader patch 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied allow_module patch 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied get_request_var_or_attr patch 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply gtbn 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply membership_tool 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply queryCatalog 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply uid_catalog 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply renameObjectsByPaths 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply at_download 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply safe_html 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied python_scripts patch 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied ftp patch 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied atat patch 2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply random_string 2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Hotfix installed Without knowing how to specifically break things I can't say if it is good to be running this or not. I'm sure a new Zope2 release will include these updates? -Chris Christopher N. Deckard | Lead Web Systems Developer c...@ecn.purdue.edu|Engineering Computer Network http://eng.purdue.edu/ECN/| Purdue University zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') --- On Nov 13, 2012, at 4:30 AM, Jens Vagelpohl wrote: > > On Nov 13, 2012, at 10:16 , Jürgen Herrmann > wrote: >> I successfully applied these hotfixes to Zope 2.13 versions >> without any problems. What puzzles me though is why was there >> no announcement for theses fixes here on zope ml? Or are these >> fixes not critical for pure Zope2 users? Or are these all fixed >> in the latest version of Zope2? > > There was no announcement here because those patches were prepared by Plone > developers without our knowledge and announced without our knowledge. The > Zope developers know as much about these patches (meaning little to nothing) > as any other Zope user. > > jens > > > ___ > Zope maillist - Zope@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] path of a fileupload instance
to my knowledge, for security reason no modern browser submits the path anymore. If you need the path, you have to create your own file uploader or use a tool like uploadify (http://www.uploadify.com) I *think* javascript gets you access to the full path. robert On 11/14/2012 08:35 AM, Kees de Brabander wrote: I was using IE and filename is just the file name, no directory information. So I will have to take another approach. Does a FileUpload instance have any other attributes than filename and header? On Nov 13, 2012, at 6:11 PM, Andreas Jung wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is subject to browser. All browser - except IE (afaik) - only submit the filename without directory information. - -aj Kees de Brabander wrote: Correct, but the filename attribute contains just the filename, not the path of the directory where it was uploaded from? cb On Nov 13, 2012, at 11:04 AM, Andreas Jung wrote: REQUEST.yourfile.filename. The FileUpload instance has a 'filename' attributes. -aj Kees de Brabander wrote: Hiya I have a form with a field for a FileUpload object, which works ok. However, in my application I want to capture the path of that file, because I want to open still other files that I know by name from that very same directory. Any idea how to do that? The REQUEST simple contains the FileUpload instance. ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- ZOPYX Limited | Python | Zope | Plone | MongoDB Hundskapfklinge 33| Consulting & Development D-72074 Tübingen | Electronic Publishing Solutions www.zopyx.com | Scalable Web Solutions - -- Produce & Publish - www.produce-and-publish.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJQon9AAAoJEADcfz7u4AZjSwsLv0Q6WXixh/gYddZObYa1O3F4 EmhCoFjfAwgFtT8WkWpTkP4l0myjOUqPdOhJvvBxPIAtqTDPu6V6YEXM5nK1loE4 Shjz3feKRsxP784arefzD1CpRiN/YQhMSn+ZYMyy/IpHV1Ypy7vsF1HJSaCY8sqm yaItArafhVrCrrSwGxOCaUNG83w6m0X0MlEg/phCmW3Lkz4lvwcgehEuiqHGYnrE TwpAiBnS4ucjdgR+Zkf9sSmxKkjUiBuYenHgsHZiXwDxYaXQra1NHeCrQha1DASx EliQuhN9Qz/A+4ZiAHj9yMwrVDEeK4oCwAxBuSsIxhO48Bj9mjXm33iSkyi0L7o7 1I0DQqCKl/1Rh6gFUmBtztzAvcz/vtB5tfjZ71u9zdQARd9zX2YKkdRQnA/l+tIG WgwbsR/Ium2xyDp9Piqfw0rGlZzLZrp3ekbAHVwdAHR7hqGUh6nXotbJVgCOjTDz PorJJ9CA/DZ+SWHQcQXyC8wtImS6zAI= =aN3X -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )