[Zope-dev] information disclosure vulnerability
Hi, probably the HelpSys object shouldn't be available by default to non-authenticated users, because it gives too much information on the currently installed products. access any Zope site this way : http://your.zope.site/HelpSys and you'll learn what products are available on the server. This can't lead to a direct compromise, but this gives way too much information to anonymous users IMHO. Tested today on several low and very high profile sites. bye, Jerome Alet ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: information disclosure vulnerability
Jerome Alet wrote: probably the HelpSys object shouldn't be available by default to non-authenticated users, because it gives too much information on the currently installed products. access any Zope site this way : http://your.zope.site/HelpSys and you'll learn what products are available on the server. Another way to gather this data would be: http://YourServer/Control_Panel/Products/ExternalEditor gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a SiteError if not. -mj ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.
Hi. > > I made monkey patch for myself, when management_page_charset is not > > "UTF-8", this patch remove ":utf8:" from non unicode type input field. > > because if input values are not latin-1, then unicode error raised. > > > > I think that every encoding can be used it satisfactory:-) > > > > Please consider whether it can merge into Zope2.6.1. > > There are some details missing from your explanation, but hopefully not from > your patch. where do I find it? What thing is concretely "some details"? I'm very interested in Zope development, especially i18n. So I would like to contribute something about it:-) Thank you. -- Yusei Tahara"So it goes" [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.
On Tuesday 03 December 2002 1:16 pm, Yusei TAHARA wrote: > Hi. > > > > I made monkey patch for myself, when management_page_charset is not > > > "UTF-8", this patch remove ":utf8:" from non unicode type input field. > > > because if input values are not latin-1, then unicode error raised. > > > > > > I think that every encoding can be used it satisfactory:-) > > > > > > Please consider whether it can merge into Zope2.6.1. > > > > There are some details missing from your explanation, but hopefully not > > from your patch. where do I find it? > > What thing is concretely "some details"? The fix to this situation is more complicated than removing a ":utf8:" from somewhere that it shouldnt be. Im sure you know this. > I'm very interested in Zope development, especially i18n. > So I would like to contribute something about it:-) The patch you mentioned? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] wrapping unexistent objects
> "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes: Casey> If you want an object to be able to handle calls to Casey> undefined methods, you'll probably need to use a Casey> __getattr__ hook. They can be a little tricky to get right Casey> (you want to filter out names that start with "_" or "aq" Casey> or else you'll be in trouble), and they don't have access Casey> to acquisition, but they will allow you to intercept calls Casey> to arbitrary names on an object. have you some examples or docs about this? I'm tring using it but my product felt in an unfinisched loop. Any suggestion Casey> -Casey TIA, baux ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] wrapping unexistent objects
Its easy to create an infinite loop. To avoid these, do attribute lookups from the instance __dict__ rather than directly from self: IOW, don't do: foo = self.foo or getattr(self, 'foo') (This can trigger another __getattr__ call) Instead do: foo = self.__dict__['foo'] (This won't cause another getattr call) As for examples, there is a complex one in the CMF Skinnable module and a simpler one in the Document module of my DocumentLibrary product. -Casey On Tuesday 03 December 2002 10:58 am, Maurizio Boriani wrote: > > "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes: > > Casey> If you want an object to be able to handle calls to > Casey> undefined methods, you'll probably need to use a > Casey> __getattr__ hook. They can be a little tricky to get right > Casey> (you want to filter out names that start with "_" or "aq" > Casey> or else you'll be in trouble), and they don't have access > Casey> to acquisition, but they will allow you to intercept calls > Casey> to arbitrary names on an object. > > have you some examples or docs about this? I'm tring using it but my product > felt in an unfinisched loop. Any suggestion > > Casey> -Casey > > TIA, > baux > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: information disclosure vulnerability
> http://YourServer/Control_Panel/Products/ExternalEditor > > gives Anoynmous the ZopeStartPage if ExternalEditor is installed and a > SiteError if not. I believe this particular item can be worked around to a degree. In the index_html in the root folder I simply put: index_html This helps hide the fact that certain objects are present, but it doesn't protect from the HelpSys or other kinds of acquisition treachery. Ofcourse I can get away with this because I didn't need my root index_html for content... if you have your site set up differently you may have to wrap that with some URI checks first. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Permissions Mapping Screen
Is there any reason that the acquired permission mapping cannot be displayed next to the check boxes on the Permission mapping screen? For example if I have "Access User Information" checked in the root of a site for Anonymous and I view the Security tab for a folder one level down I would like to see a check symbol to the right of the Anonymous/Access User Information check box. This seems like it would be very very useful. -Brian ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] wrapping unexistent objects
> "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes: Casey> Its easy to create an infinite loop. To avoid these, do Casey> attribute lookups from the instance __dict__ rather than Casey> directly from self: Casey> IOW, don't do: Casey> foo = self.foo Casey> or getattr(self, 'foo') Casey> (This can trigger another __getattr__ call) Casey> Instead do: Casey> foo = self.__dict__['foo'] in my case foo is a method not a properties Casey> (This won't cause another getattr call) Casey> As for examples, there is a complex one in the CMF Casey> Skinnable module and a simpler one in the Document module Casey> of my DocumentLibrary product. I tried this too but zope return an error ('Type Error, unsubscriptable object'). Exactly this is my case: I've a class called, for example, pippo. This cotain another class called pluto. So wath I'd like to do is: the expr or method ciccio doesn't exist in pluto but I'd like to pass to a defined method the expr and its parameters. A big thanks anymore for your help bye, baux ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] wrapping unexistent objects
Can you just use acquisition? On Tuesday 03 December 2002 01:11 pm, Maurizio Boriani wrote: > > "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes: > > Casey> Its easy to create an infinite loop. To avoid these, do > Casey> attribute lookups from the instance __dict__ rather than > Casey> directly from self: > > Casey> IOW, don't do: > > Casey> foo = self.foo > > Casey> or getattr(self, 'foo') > > Casey> (This can trigger another __getattr__ call) > > Casey> Instead do: > > Casey> foo = self.__dict__['foo'] > > in my case foo is a method not a properties > > Casey> (This won't cause another getattr call) > > Casey> As for examples, there is a complex one in the CMF > Casey> Skinnable module and a simpler one in the Document module > Casey> of my DocumentLibrary product. > > I tried this too but zope return an error ('Type Error, unsubscriptable object'). > > Exactly this is my case: > > I've a class called, for example, pippo. This cotain another class called pluto. > > So wath I'd like to do is: > > > > > > > the expr or method ciccio doesn't exist in pluto but I'd like to pass to a defined method the expr and its parameters. > > A big thanks anymore for your help > > bye, > baux > > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] wrapping unexistent objects
> "Casey" == Casey Duncan <[EMAIL PROTECTED]> writes: Casey> Can you just use acquisition? But how could I without knowing wich method will be call? -- Maurizio Boriani -- Debian Developer E-mail address: [EMAIL PROTECTED] GPG key: 0xCC0FBF8F fingerprint => E429 A37C 5259 763C 9DEE FC8B 5D61 C796 CC0F BF8F <= fingerprint ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] [ANN] OrderedObjectManager Proposal
Zope Folders are already ordered collections. But so far the Zope Core has no API to manipulate the order of the contained objects. This proposal suggests a solution: http://dev.zope.org/Wikis/DevSite/Proposals/OrderedObjectManager Comments are welcome! Yuppie ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.
Hi. > > What thing is concretely "some details"? > > The fix to this situation is more complicated than removing a ":utf8:" from > somewhere that it shouldnt be. Im sure you know this. At this point Zope2.6.x, my guess is that would not clear up this problem completely.But my patch allows to use both type string and ustring when a user set right encoding name to "management_page_charset". This is a temporary trick, but works well. > > I'm very interested in Zope development, especially i18n. > > So I would like to contribute something about it:-) > > The patch you mentioned? I want to tackle this complicated problem in Zope development rather than make my own patches. Because the i18n is more benefit for minority languages such as japanese than major one.I need it very much. Thank you. -- Yusei ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.6.0 ZMI Problem for CJK(Collector 623) patch.
On Tue, 3 Dec 2002 14:52:31 + Toby Dickenson <[EMAIL PROTECTED]> wrote: > > > There are some details missing from your explanation, but hopefully not > > > from your patch. where do I find it? > > > > What thing is concretely "some details"? > > The fix to this situation is more complicated than removing a ":utf8:" from > somewhere that it shouldnt be. Im sure you know this. > > > I'm very interested in Zope development, especially i18n. > > So I would like to contribute something about it:-) > > The patch you mentioned? ... seems like the things are in double bind situation, where the current Unicode Support has a fundamental problem which can't be resolved in straight manner, yet you are requesting it and rejecting any other proposal (at least looks so to some extent, even though you didn't intend to do so). # Probably one of the major cause of the miscommunication about # this topic is the difficulty of the understanding of different # culture, especially the sense of criticality and severity # of the problem: one party feels it's crucial and needs urgent # tentative fix while another feels it's minor and negligible. Although the problem itself is very clear, no actions/progress against the problem have happened yet. Anyway, I think it's getting clear that there are no silver bullets (patch) to shoot this problem. If so, the next step which should be taken in such a situation is clear: rollback. We should trace back until finding out what exactly is the fundamental cause of the problem, then make the corrections or define the right direction (as Toby already tried in <[EMAIL PROTECTED]> and I think it's comprehensive). I'm not clear the exact positioning of these documents: http://www.zope.org/Members/htrd/howto/unicode-zdg-changes http://www.zope.org/Members/htrd/howto/unicode but it seems like these documents describes the basic design policy of the current implementation of Unicode Support well. # For me, the problem looks much simpler in these documents rather # than the discussion about the detailed implementation. So far, does it sound OK? I would like to hear any opinion about this issue (I know anybody in this ML is very busy ;) Regards, --- Heiichiro NAKAMURA <[EMAIL PROTECTED]> ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )