Re: [Zope-dev] Stripogram or similar in core
Andy wrote: > > You seem to be aware of the fact, but I'd like to point it out > > explicitely: from a security point of view, this is completely useless. > > As HTML stripping is often done for security reasons, I fail to see the > > interest in such a feature. > > That depends where you do the checking, yes html validation in just a form > is not as secure as checking at the application level. What I am suggesting > is adding the HTML validation framework into the core of Zope so people can > add checking to any level of their application as they wish. Making a > standard interface to this gives a the developer chance to put the checking > in at the level they choose. If it's easy to get to I could also use it from Formulator, which, though I don't guarantee perfect security, at least has a design which makes it far less easy to fool than the Zope marshalling :foo thing (which you can fool just by writing your own HTML form). All you'd need is add a HTMLField to the system which has the right knobs to set what you exactly want to allow in entered HTML -- that's also a far better user interface than thinking up yet another marshalling :html:foo:bar strategy.. Anyway, just a module that I can import from Python that exposes the functionality would already be worth a lot having in the core; I'm loath to introducing dependencies on non-core stuff in Formulator, as it's aiming to be a very fundamental product that just should work out of the box. The only non-core dependency right now in on TALES, but it still works without it; you can also use Core Session Tracking in a simple way. Once Zope 2.5 is out I plan to start depending on sessions and TALES a lot more though, as they have those in the core. Regards, Martijn ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Stripogram or similar in core
So, in this validation framework, do you envision having a parameter-validating routine being invoked whenever a publicly-exposed method is called by DTML methods, or did you want to focus on mere HTML form validation/stripping? I'm asking because I've had situations when I've needed the ability to restrict access to methods based on the values of their parameters -- that's a little more fine-grained than the current security machinery allows. I've always thought that it might be nice to provide a hook for each method in a Zope class (similar to declarative security statements), and to use this hook to validate the parameters, according to the needs of the user. For string parameters, perhaps we can also have the ability to specify a "filter" -- something like a search and replace statement, with Sed-like syntax. "Andy" <[EMAIL PROTECTED]> wrote: > That depends where you do the checking, yes html validation in just a form > is not as secure as checking at the application level. What I am suggesting > is adding the HTML validation framework into the core of Zope so people can > add checking to any level of their application as they wish. Making a > standard interface to this gives a the developer chance to put the checking > in at the level they choose. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] DateTime: ISO date range limited
Hi, I'd expect the following shouldn't raise an exception: [current Zope CVS] >>> x=DateTime(1000,1,1) >>> y=DateTime(x.HTML4()) Traceback (most recent call last): File "", line 1, in ? File "/home/jens/work/NGServer/dcCVS/Zope/lib/python/DateTime/DateTime.py", line 716, in __init__ yr,mo,dy,hr,mn,sc,tz=self._parse_iso8601(arg) File "/home/jens/work/NGServer/dcCVS/Zope/lib/python/DateTime/DateTime.py", line 1624, in _parse_iso8601 return self.__parse_iso8601(s) File "/home/jens/work/NGServer/dcCVS/Zope/lib/python/DateTime/DateTime.py", line 1661, in __parse_iso8601 ts = mktime((year,month,day,hour,minute,seconds,0,0,0)) ValueError: year out of range >>> The variable 'ts' calculated using 'mktime' is *not* used in the result of '__parse_iso8601', so I wonder why the call exists. jens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ParsedXML in Zclass methods loses permissions on Zope restart
I'm still casting around for a suggestion on where I can go to fix this. I have a ParsedXML object in the methods list of a ZClass Product. The "Access Contents Information" Permission Mapping always get's reset to "blank" in the ParsedXML object when Zope restarts. Is this a problem with ZClasses, or with ParsedXML? I put this in the collector 3 or 4 months ago, and have asked a few times on different lists.. Got no responses. I now must fix it, can't put it off any longer. Any suggestions where to look in the source for where Permission mappings are stored? Perhaps ZClasses stores the permission mappings, but ParsedXML overrides the restored value somehow? Zope 2.3.3 (binary release, python 1.5.2, linux2-x86) (Using last released beta parsed XML) Brad Clements,[EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax netmeeting: ils://ils.murkworks.com AOL-IM: BKClements ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DateTime: ISO date range limited
"Andreas Jung" <[EMAIL PROTECTED]> writes: > This is a limitation of time.mktime() in Python but not of Zope. > The ValueError seems not to be documented in the Python docs. Yes, but it's the only call to 'mktime' in 'DateTime.py' and it seems that calling it is unnecessary. jens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] validate() trouble in Zope-2.5.0a1
Jens Vagelpohl wrote: > steve, > > unfortunately 2.5.0a1 had some serious issues alpha2 should come > out really soon and fix them. in a nutshell, alpha1 is unusable. you > can stop playing ;) > > jens > > > On Sunday, October 28, 2001, at 04:20 , Steve Spicklemire wrote: > >> [...] >> ) >> -> if validate(container=self, value=o): >> (Pdb) n >> [...] > Yup, this was my bad -- that line should be changed to read if validate(None, self, None, o, None): since the C machinery isn't taking keyword arguments. Its in the 2.5.0a2 announcment. In some regards, it baffles me that it worked in the first place, because the first 4 or 5 arguments to validate are NOT optional, and have no default. I suspect that someone along the way was plugging in None for those options that weren't specified. But I'm ignorant on the exact details of Python argument marshalling... The particular code in SecurityManager.py has a validate() method which does supply None as defaults, but then passes them as positional parameters to the underlying implementation. So, I think the DTML security manager is accelerating this by skipping what basically is an empty wrapper stage (promoting the policy's validate() method into the object), and thats what is tripping the bug. Alternatively, the setting the environment variable ZOPE_SECURITY_POLICY to PYTHON will disable the C version of the security policy. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] CollectorReplacment online
We finally have a new version of the Zope bug collector in place, at: http://new.zope.org/Collector Note that it's *new*.zope.org not the main www.zope.org site. This is because the new collector is built on the CMF, which is part what will be the new site (once it's commissioned). I realize this has taken longer to land than any of us would like - we're eager to resume collect and addressing the important bugs, and i know some of you have important ones you're yearning to submit. In the interest of reducing further delays, we're jamming this new collector into production - we've done what we could to shake out the major bugs (many thanks particularly to magnus heino for patiently continuing to give it a whirl!), but i expect there are more to fall out as it gets really used. Please bear with us - and submit your Zope bugs! (There's a separate collector for collector-specific issues: http://new.zope.org/Members/klm/ColDev Submit collector bugs and suggestions there. If the collector is so whacked you can't even submit your issue, email the description directly to me. We'll try to deal with it promptly! The collector is an installed product on new.zope.org - anyone with an account there can create an instance of their own to play with, in their member folder, and the product is checked into the Zope public CVS repository (cvs.zope.org) as CMF/CMFCollector.) Happy reporting!-) -- Ken Manheimer [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] fsrecover error
I have a corrupted Data.fs and I am attempting to use fsrecover.py to fix it. Here is the error I am getting on the startup: 2001-10-29T18:57:18 PANIC(300) ZODB FS FS21 ERROR: /home/zopesite/Zope-2.3.0-src/var/Data.fs data record exceeds transaction record at 246204937L -- 2001-10-29T18:57:18 PANIC(300) z2 Startup exception Traceback (innermost last): File /home/zopesite/Zope-2.3.0-src/z2.py, line 566, in ? File , line 1, in ? File /home/zopesite/Zope-2.3.0-src/lib/python/Zope/__init__.py, line 110, in ? File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 308, in __init__ (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 1669, in read_index File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 219, in panic CorruptedTransactionError: /home/zopesite/Zope-2.3.0-src/var/Data.fs data record exceeds transaction record at 246204937L Here is the error I get when running fsrecover: Traceback (innermost last): File "lib/python/ZODB/fsrecover.py", line 92, in ? import FileStorage File "/home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py", line 193, in ? from TimeStamp import TimeStamp ImportError: No module named ExtensionClass I have searched the lists and have not found a solution. Any ideas? _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] fsrecover error
from where are you running it? i believe you must change into /lib/python and run it from that location so that all the imports can be found. jens On Monday, October 29, 2001, at 03:20 , Scott Burton wrote: > I have a corrupted Data.fs and I am attempting to use fsrecover.py to fix > it. Here is the error I am getting on the startup: > 2001-10-29T18:57:18 PANIC(300) ZODB FS FS21 ERROR: /home/zopesite/Zope-2. > 3.0-src/var/Data.fs data record exceeds transaction record at 246204937L > > -- > 2001-10-29T18:57:18 PANIC(300) z2 Startup exception > Traceback (innermost last): > File /home/zopesite/Zope-2.3.0-src/z2.py, line 566, in ? > File , line 1, in ? > File /home/zopesite/Zope-2.3.0-src/lib/python/Zope/__init__.py, line 110, > in ? > File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line > 308, in __init__ >(Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) > File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line > 1669, in read_index > File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line > 219, in panic > CorruptedTransactionError: /home/zopesite/Zope-2.3.0-src/var/Data.fs data > record exceeds transaction record at 246204937L > > Here is the error I get when running fsrecover: > Traceback (innermost last): > File "lib/python/ZODB/fsrecover.py", line 92, in ? >import FileStorage > File "/home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py", > line 193, in ? >from TimeStamp import TimeStamp > ImportError: No module named ExtensionClass > > I have searched the lists and have not found a solution. Any ideas? > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] fsrecover error
Thanks, that worked. I got the message: Nothing to recover... So, I used Tranalyzer and followed the instructions from here: http://www.zope.org/Members/itamar/CorruptedZODB Now I get an entirely different error: 2001-10-29T20:49:25 ERROR(200) ZODB Couldn't load state for '\000\000\000\000\000\000\000\002' Traceback (innermost last): File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/Connection.py, line 508, in setstate File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 593, in load (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 569, in _load (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) KeyError: -- 2001-10-29T20:49:25 PANIC(300) z2 Startup exception -- 2001-10-29T20:49:25 ERROR(200) ZODB Couldn't load state for '\000\000\000\000\000\000\000\002' Traceback (innermost last): File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/Connection.py, line 508, in setstate File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 593, in load (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 569, in _load (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) KeyError: Traceback (innermost last): File /home/zopesite/Zope-2.3.0-src/z2.py, line 566, in ? File , line 1, in ? File /home/zopesite/Zope-2.3.0-src/lib/python/Zope/__init__.py, line 144, in ? File /home/zopesite/Zope-2.3.0-src/lib/python/OFS/Application.py, line 384, in initialize File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/Connection.py, line 508, in setstate File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 593, in load (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line 569, in _load (Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) KeyError: >From: Jens Vagelpohl <[EMAIL PROTECTED]> >To: "Scott Burton" <[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: Re: [Zope-dev] fsrecover error >Date: Mon, 29 Oct 2001 15:36:18 -0500 > >from where are you running it? i believe you must change into >/lib/python and run it from that location so that all the imports >can be found. > >jens > > >On Monday, October 29, 2001, at 03:20 , Scott Burton wrote: > >>I have a corrupted Data.fs and I am attempting to use fsrecover.py to fix >>it. Here is the error I am getting on the startup: >>2001-10-29T18:57:18 PANIC(300) ZODB FS FS21 ERROR: /home/zopesite/Zope-2. >>3.0-src/var/Data.fs data record exceeds transaction record at 246204937L >> >>-- >>2001-10-29T18:57:18 PANIC(300) z2 Startup exception >>Traceback (innermost last): >> File /home/zopesite/Zope-2.3.0-src/z2.py, line 566, in ? >> File , line 1, in ? >> File /home/zopesite/Zope-2.3.0-src/lib/python/Zope/__init__.py, line >>110, >> in ? >> File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line >>308, in __init__ >>(Object: /home/zopesite/Zope-2.3.0-src/var/Data.fs) >> File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line >>1669, in read_index >> File /home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py, line >>219, in panic >>CorruptedTransactionError: /home/zopesite/Zope-2.3.0-src/var/Data.fs data >>record exceeds transaction record at 246204937L >> >>Here is the error I get when running fsrecover: >>Traceback (innermost last): >> File "lib/python/ZODB/fsrecover.py", line 92, in ? >>import FileStorage >> File "/home/zopesite/Zope-2.3.0-src/lib/python/ZODB/FileStorage.py", >>line 193, in ? >>from TimeStamp import TimeStamp >>ImportError: No module named ExtensionClass >> >>I have searched the lists and have not found a solution. Any ideas? >> > > >___ >Zope-Dev maillist - [EMAIL PROTECTED] >http://lists.zope.org/mailman/listinfo/zope-dev >** No cross posts or HTML encoding! ** >(Related lists - >http://lists.zope.org/mailman/listinfo/zope-announce >http://lists.zope.org/mailman/listinfo/zope ) _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Suggestion: Blocking out Localroles?
I was going to put this up as a proposal, but I can't figure out how to add a new proposal... :-) Then I checked out the new collector, and there is a possibility to add a "feature" there too, so maybe this fits better there? Anyway, heres the suggestion: When developing a CM system in Zope a customer asked for a possibility to "block out" a persons local role lower down in the hierarchy. That way a person that has manager rights on a country-level could have these rights removed on a regional level. So, we implemented this as a HotFix, that seems to work fine. It also has a user interface for local roles that is somewhat easier (in my opinion) to use. So what do you think? Is this stupid or good? Is it a "feature" or a "proposal"? I attached the files, you can put the __init__.py in any directory under Products, and the dtml-files in a directory 'dtml' under that if you want to try it out. I think it should work with a clean Zope installation (although we haven't tested that for a couple of weeks). __init__.py listLocalRoles.dtml editLocalRoles.dtml
