Re: [Zope-dev] Possible security problem with DTML
On 03/24/2003 12:28 PM, kosh wrote: On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote: On Fri, 2003-03-21 at 20:08, kosh wrote: I am having a problem where DTML is allowing access to an attribute of an object that restrictedTraverse and regular . notation denies from a python script. This is pretty serious. You should post this as a bug in the collector. Cheers, Leo Yeah I will report this to the collector I just wanted to see if anyone else had seen this or thought it was a bug or some really weird thing that is supposed to happen but not documented. It would not be the first time that zope had some really strange stuff in it. ;) Are you talking about a DTMLFile in a Python product? DTMLFiles do not check security (nor do they normally need to, since they are trusted). Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Let's have another bug day
Leonardo Rochael Almeida wrote: > Hi people, > > It's been some time now since we last had a bug day. Should we have > another one? I'd like one. :) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Possible security problem with DTML
On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote: > On Fri, 2003-03-21 at 20:08, kosh wrote: > > I am having a problem where DTML is allowing access to an attribute of an > > object that restrictedTraverse and regular . notation denies from a > > python script. > > This is pretty serious. You should post this as a bug in the collector. > > Cheers, Leo Yeah I will report this to the collector I just wanted to see if anyone else had seen this or thought it was a bug or some really weird thing that is supposed to happen but not documented. It would not be the first time that zope had some really strange stuff in it. ;) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Let's have another bug day
Hi people, It's been some time now since we last had a bug day. Should we have another one? -- Ideas don't stay in some minds very long because they don't like solitary confinement. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] collector issue 863 "propfind" bugfix
On Mon, 2003-03-24 at 09:00, Simon Eisenmann wrote: > See: http://collector.zope.org/Zope/863 > > the attached patch file solves this problem by always setting the > handle_xml method with default parameters if body does not start with > Please attach the patch to the collector item in question, this way it won't be lost in the zope-dev traffic and will actually be applied next time someone with commit privs stumble uppon it, or maybe during the next bug day. -- Ideas don't stay in some minds very long because they don't like solitary confinement. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Possible security problem with DTML
On Fri, 2003-03-21 at 20:08, kosh wrote: > I am having a problem where DTML is allowing access to an attribute of an > object that restrictedTraverse and regular . notation denies from a python > script. This is pretty serious. You should post this as a bug in the collector. Cheers, Leo -- Ideas don't stay in some minds very long because they don't like solitary confinement. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] collector issue 863 "propfind" bugfix
See: http://collector.zope.org/Zope/863 the attached patch file solves this problem by always setting the handle_xml method with default parameters if body does not start with the patch is against lib/python/Shared/DC/xml/xmllib.py of zope version 2.6.1 best regards, simon -- Simon Eisenmann [ mailto:[EMAIL PROTECTED] ] [ struktur AG | Junghansstraße 5 | 70469 Stuttgart ] [ T. +49.711.896656.68 | F.+49.711.89665610 ] [ http://www.struktur.de | mailto:[EMAIL PROTECTED] ] --- xmllib.py.orginal 2002-08-14 23:51:00.0 +0200 +++ xmllib.py 2003-03-24 11:26:29.0 +0100 @@ -163,6 +163,11 @@ self.lineno = self.lineno + string.count(data, '\n') i = n break +if self.__at_start: +if not xmldecl.match(rawdata): +# no declaration -> use default +self.handle_xml('','') + res = interesting.search(rawdata, i) if res: j = res.start(0) signature.asc Description: Dies ist ein digital signierter Nachrichtenteil