Re: [Zope-dev] Possible security problem with DTML

2003-03-24 Thread Shane Hathaway 
On 03/24/2003 12:28 PM, kosh wrote:
On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote:

On Fri, 2003-03-21 at 20:08, kosh wrote:

I am having a problem where DTML is allowing access to an attribute of an
object that restrictedTraverse and regular . notation denies from a
python script.
This is pretty serious. You should post this as a bug in the collector.

	Cheers, Leo


Yeah I will report this to the collector I just wanted to see if anyone else 
had seen this or thought it was a bug or some really weird thing that is 
supposed to happen but not documented. It would not be the first time that 
zope had some really strange stuff in it. ;)
Are you talking about a DTMLFile in a Python product?  DTMLFiles do not 
check security (nor do they normally need to, since they are trusted).

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Let's have another bug day

2003-03-24 Thread Lennart Regebro 
Leonardo Rochael Almeida wrote:
> Hi people,
>
> It's been some time now since we last had a bug day. Should we have
> another one?
I'd like one. :)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Possible security problem with DTML

2003-03-24 Thread kosh 
On Monday 24 March 2003 09:05 am, Leonardo Rochael Almeida wrote:
> On Fri, 2003-03-21 at 20:08, kosh wrote:
> > I am having a problem where DTML is allowing access to an attribute of an
> > object that restrictedTraverse and regular . notation denies from a
> > python script.
>
> This is pretty serious. You should post this as a bug in the collector.
>
>   Cheers, Leo

Yeah I will report this to the collector I just wanted to see if anyone else 
had seen this or thought it was a bug or some really weird thing that is 
supposed to happen but not documented. It would not be the first time that 
zope had some really strange stuff in it. ;)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Let's have another bug day

2003-03-24 Thread Leonardo Rochael Almeida 
Hi people,

It's been some time now since we last had a bug day. Should we have
another one?

-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] collector issue 863 "propfind" bugfix

2003-03-24 Thread Leonardo Rochael Almeida 
On Mon, 2003-03-24 at 09:00, Simon Eisenmann wrote:
> See: http://collector.zope.org/Zope/863
> 
> the attached patch file solves this problem by always setting the
> handle_xml method with default parameters if body does not start with
> 

Please attach the patch to the collector item in question, this way it
won't be lost in the zope-dev traffic and will actually be applied next
time someone with commit privs stumble uppon it, or maybe during the
next bug day.

-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Possible security problem with DTML

2003-03-24 Thread Leonardo Rochael Almeida 
On Fri, 2003-03-21 at 20:08, kosh wrote:
> I am having a problem where DTML is allowing access to an attribute of an 
> object that restrictedTraverse and regular . notation denies from a python 
> script.

This is pretty serious. You should post this as a bug in the collector.

Cheers, Leo

-- 
Ideas don't stay in some minds very long because they don't like
solitary confinement.


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] collector issue 863 "propfind" bugfix

2003-03-24 Thread Simon Eisenmann 
See: http://collector.zope.org/Zope/863

the attached patch file solves this problem by always setting the
handle_xml method with default parameters if body does not start with


the patch is against lib/python/Shared/DC/xml/xmllib.py of zope version
2.6.1

best regards,
 simon



-- 

Simon Eisenmann

[ mailto:[EMAIL PROTECTED] ]

[ struktur AG | Junghansstraße 5 | 70469 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ http://www.struktur.de | mailto:[EMAIL PROTECTED] ]


--- xmllib.py.orginal   2002-08-14 23:51:00.0 +0200
+++ xmllib.py   2003-03-24 11:26:29.0 +0100
@@ -163,6 +163,11 @@
 self.lineno = self.lineno + string.count(data, '\n')
 i = n
 break
+if self.__at_start:
+if not xmldecl.match(rawdata):
+# no  declaration -> use default
+self.handle_xml('','')
+
 res = interesting.search(rawdata, i)
 if res:
 j = res.start(0)


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil