Re: [Zope] SECURITY alert and hotfix release
On Fri, Dec 08, 2000 at 05:40:13PM -0500, Shane Hathaway wrote: AFAICT 2.1.6 is not vulnerable. Verifying this on our server, this turns out to be quite correct; Zope 2.1.6 does not demonstrate the problem repaired by the hotfix. --amk ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: [Zope-Annce] SECURITY alert and hotfix release
On Fri, Dec 08, 2000 at 03:48:52PM -0500, Brian Lloyd wrote:
The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.
A slight modification to the patch makes it work (meaning, "run
without raising an exception") on Zope 2.1.6; patch below. Can
someone at DC confirm that this patched version fixes the problem for
2.1.x and doesn't break anything else? (If you want to privately send
me an exploit, that would be quite helpful.)
--amk
--- __init__.py Fri Dec 8 15:25:48 2000
+++ /home/akuchlin/__init__.py Fri Dec 8 17:09:05 2000
@@ -107,13 +107,14 @@
# and make sure the roles are set correctly.
import OFS
+from OFS import DTMLMethod, DTMLDocument
from AccessControl.PermissionRole import PermissionRole
OM = OFS.ObjectManager.ObjectManager
legacy = (
-('manage_addDocument', OFS.DTMLMethod.addDTMLMethod),
-('manage_addDTMLMethod', OFS.DTMLMethod.addDTMLMethod),
-('manage_addDTMLDocument', OFS.DTMLDocument.addDTMLDocument),
+('manage_addDocument', DTMLMethod.addDTMLMethod),
+('manage_addDTMLMethod', DTMLMethod.addDTMLMethod),
+('manage_addDTMLDocument', DTMLDocument.addDTMLDocument),
)
permission = 'Add Documents, Images, and Files'
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Why Not Zope? 'Cos I like to bitch! ;-)
On 1 Dec 2000, Brian Lloyd wrote: I think that this perception may be fostered by the fact that the current bug-tracking system (Collector) doesnt really let you see what has been done lately. Unless you happen to see the emails going out on resolution, you really aren't aware of the activity going on :( Indeed, I wrote this mostly because of the Collector's interface. I'm quite careful to write "it's not apparent to a casual observer whether DC is responsive or not," and do not claim anything about the accuracy of that perception. I've sent in a few patches through the Collector; sometimes the response is quick, sometimes it isn't, either of which can be a reasonable reaction depending on the seriousness of the bug. But it's often not apparent what's going on, at least to an outsider. The SourceForge bug tracking tools make it more apparent what's happening with a bug (or not happening); so does Bugzilla, but Bugzilla seems endlessly overcomplicated in other ways. --amk ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope-dev] setup.py scripts
Has anyone at DC looked at the setup.py scripts I posted a while back? Any questions? Any opinions? Anyone care for a mint? --amk ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
