Re: [Zope-dev] New test summarizer format
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/3/11 12:41 , Jens Vagelpohl wrote: On 3/29/11 11:15 , Adam GROSZER wrote: But it seems like it's about bugging Stephan Holek to stop the current one and bugging Jens to start the new one, or? Unless the script is broken. Could you run that script -- worst case we'll have 2 mails for a day -- for testing? Seems like it has the settings for gocept and I don't really have an SMTP server here handy. Thanks to Wolfgang's cleanup work the new script is now in place. It's running once a day at 01:00 AM Eastern Standard Time. @Wolfgang: Something is not working as seen in today's run. If I run the script with -T 2011-04-02 I am getting correct output. But if I run it with -T 2011-04-03 or -T 2011-04-04 I am getting nothing. Can you test this in your sandbox? Thanks! jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk2ZZxYACgkQRAx5nvEhZLL7aQCgo6h5CtRLQQeWXrLh7zzILb5F BY0AoLLCmHIyJVVflYNih+s7uEF+wMSo =Bm4U -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope Tests: 171 OK, 13 Failed, 2 Unknown
Summary of messages to the zope-tests list. Period Sun Apr 3 11:00:00 2011 UTC to Mon Apr 4 11:00:00 2011 UTC. There were 186 messages: 8 from Zope Tests, 4 from buildbot at pov.lt, 23 from buildbot at winbot.zope.org, 8 from ccomb at free.fr, 143 from jdriessen at thehealthagency.com. Test failures - Subject: FAILED : Zope Buildbot / zopetoolkit-1.0_win-py2.6 slave-win From: jdriessen at thehealthagency.com Date: Sun Apr 3 11:34:06 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037074.html Subject: FAILED : Zope Buildbot / zope2.13_win-py2.6 slave-win From: jdriessen at thehealthagency.com Date: Sun Apr 3 13:48:52 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037104.html Subject: FAILED : winbot / zc_buildout_dev py_254_win32 From: buildbot at winbot.zope.org Date: Sun Apr 3 17:30:02 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037125.html Subject: FAILED : winbot / zc_buildout_dev py_265_win32 From: buildbot at winbot.zope.org Date: Sun Apr 3 17:30:13 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037126.html Subject: FAILED : winbot / zc_buildout_dev py_265_win64 From: buildbot at winbot.zope.org Date: Sun Apr 3 17:30:24 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037127.html Subject: FAILED : winbot / zc_buildout_dev py_270_win32 From: buildbot at winbot.zope.org Date: Sun Apr 3 17:30:35 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037128.html Subject: FAILED : winbot / zc_buildout_dev py_270_win64 From: buildbot at winbot.zope.org Date: Sun Apr 3 17:30:46 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037129.html Subject: FAILED : Zope 3.4 Known Good Set / py2.4-64bit-linux From: buildbot at pov.lt Date: Sun Apr 3 21:01:34 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037151.html Subject: FAILED : Zope 3.4 Known Good Set / py2.4-32bit-linux From: buildbot at pov.lt Date: Sun Apr 3 21:27:08 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037156.html Subject: FAILED : Zope 3.4 Known Good Set / py2.5-32bit-linux From: buildbot at pov.lt Date: Sun Apr 3 22:29:05 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037172.html Subject: FAILED : winbot / z3c.rml_py_265_32 From: buildbot at winbot.zope.org Date: Sun Apr 3 22:38:02 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037175.html Subject: FAILED : winbot / z3c.coverage_py_265_32 From: buildbot at winbot.zope.org Date: Sun Apr 3 23:25:12 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037185.html Subject: FAILED : Zope Buildbot / zopetoolkit-1.1-py2.6 slave-osx From: jdriessen at thehealthagency.com Date: Mon Apr 4 00:45:26 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037191.html Unknown --- Subject: UNKNOWN : Zope-trunk Python-2.6.5 : Linux From: Zope Tests Date: Mon Apr 4 01:14:46 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037200.html Subject: UNKNOWN : Zope-trunk-alltests Python-2.6.5 : Linux From: Zope Tests Date: Mon Apr 4 01:16:47 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037201.html Tests passed OK --- Subject: OK : Zope Buildbot / zope2.12-py2.6 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:31:13 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037017.html Subject: OK : Zope Buildbot / zope2.13-py2.6 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:32:43 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037018.html Subject: OK : Zope Buildbot / zope2.13-py2.7 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:34:19 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037019.html Subject: OK : Zope Buildbot / zope2.14-py2.6 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:35:56 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037020.html Subject: OK : Zope Buildbot / zope2.14-py2.7 slave-ubuntu64 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:37:27 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037021.html Subject: OK : Zope Buildbot / zope2.12-py2.6 slave-ubuntu32 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:38:07 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037022.html Subject: OK : Zope Buildbot / zope2.13-py2.6 slave-ubuntu32 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:39:49 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037023.html Subject: OK : Zope Buildbot / zope2.13-py2.7 slave-ubuntu32 From: jdriessen at thehealthagency.com Date: Sun Apr 3 09:41:44 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037024.html Subject: OK : Zope Buildbot / zopetoolkit-1.0-py2.4
Re: [Zope-dev] Zope Tests: 171 OK, 13 Failed, 2 Unknown
On 4/4/11 12:57 , Zope Tests Summarizer wrote: Summary of messages to the zope-tests list. Period Sun Apr 3 11:00:00 2011 UTC to Mon Apr 4 11:00:00 2011 UTC. There were 186 messages: 8 from Zope Tests, 4 from buildbot at pov.lt, 23 from buildbot at winbot.zope.org, 8 from ccomb at free.fr, 143 from jdriessen at thehealthagency.com. Test failures - Subject: FAILED : Zope Buildbot / zopetoolkit-1.0_win-py2.6 slave-win From: jdriessen at thehealthagency.com Date: Sun Apr 3 11:34:06 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037074.html Subject: FAILED : Zope Buildbot / zope2.13_win-py2.6 slave-win From: jdriessen at thehealthagency.com Date: Sun Apr 3 13:48:52 EDT 2011 URL: http://mail.zope.org/pipermail/zope-tests/2011-April/037104.html For both case, the subsequent test runs passed OK. regards, jw ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New test summarizer format
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/4/11 08:37 , Jens Vagelpohl wrote: On 4/3/11 12:41 , Jens Vagelpohl wrote: On 3/29/11 11:15 , Adam GROSZER wrote: But it seems like it's about bugging Stephan Holek to stop the current one and bugging Jens to start the new one, or? Unless the script is broken. Could you run that script -- worst case we'll have 2 mails for a day -- for testing? Seems like it has the settings for gocept and I don't really have an SMTP server here handy. Thanks to Wolfgang's cleanup work the new script is now in place. It's running once a day at 01:00 AM Eastern Standard Time. @Wolfgang: Something is not working as seen in today's run. If I run the script with -T 2011-04-02 I am getting correct output. But if I run it with -T 2011-04-03 or -T 2011-04-04 I am getting nothing. Can you test this in your sandbox? @Wolfgang: I have checked in some fixes and it works for me now. We'll see the results tomorrow. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk2Zvn0ACgkQRAx5nvEhZLI62ACdHgr8dvtV0K0esDkpHxYiy1Qv 5u8AnjqXOdmtmk0+/TbojuQ6uUJwK1Ln =2Rbj -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] CSRF protection for z3c.form
I've been looking into how we might add CSRF protection to z3c.form forms as we will be including z3c.form in Plone 4.1. Currently in Plone, we use plone.protect to add an authentication token to our forms and then check the token in the methods that get called. (plone.protect is BSD licensed, but is Zope2 specific.) I think it's important for the integrator to be able to add an authentication policy to all z3c.form forms on a site, so I'd rather not rely on having all forms subclass some AuthenticatedForm. I can see a number of possible ways to implement this 1. Add a hook into z3c.form.form.Form along the lines of:: def update(self): super(Form, self).update() self.updateActions() self.authenticateSubmission() self.actions.execute() if self.refreshActions: self.updateActions() def authenticateSubmission(self): if self.actions.executedActions: authenticator = zope.component.queryMultiAdapter( (self, self.request, self.getContent()), interfaces.ISubmissionAuthenticator) if authenticator is not None: authenticator.authenticate() This would allow integrators to register an ISubmissionAuthenticator that would be called when there are actions to execute (so not when a form is just displayed.) 2. Similar to (1) but fire an event. This would allow multiple submission authenticators to be registered (e.g. for post-only as well as check-authenticator), but this makes it more difficult to restrict authenticators to only certain forms / requests / contexts. 3. Register a more specific version of z3c.form.button.ButtonActionsHandler which performs the check before executing the handler. This has the advantage of not requiring any changes to z3c.form, but the disadvantages that: only button actions are protected, and would be executed per action handler execution instead of once per submission. I'd be interested to know how other z3c.form users approach CSRF protection and what approach they would recommend. Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
On Monday, April 04, 2011, Laurence Rowe wrote: I'd be interested to know how other z3c.form users approach CSRF protection and what approach they would recommend. Hi Lawrence, I am okay with (1), but find (3) ore attractive. Since I am not familiar with the token solution to avoid CSRF attacks, can you briefly describe the sequence that is used to avoid those requests? Maybe we can some up with a tightly integrated solution. I have no problem with modifying z3c.form to support such a feature. Regards, Stephan -- Entrepreneur and Software Geek Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
On 4 April 2011 14:57, Stephan Richter srich...@cosmos.phy.tufts.edu wrote: On Monday, April 04, 2011, Laurence Rowe wrote: I'd be interested to know how other z3c.form users approach CSRF protection and what approach they would recommend. Hi Lawrence, I am okay with (1), but find (3) ore attractive. Since I am not familiar with the token solution to avoid CSRF attacks, can you briefly describe the sequence that is used to avoid those requests? Maybe we can some up with a tightly integrated solution. I have no problem with modifying z3c.form to support such a feature. Hi Stephen, The authenticator is described on http://pypi.python.org/pypi/plone.protect, but basically it adds an HMAC-SHA signed token into the form submission. By validating this you know that the submission came from a form that your site rendered, rather than an opportunistic 'drive-by' attack from another site. I'm happy to go with (3). I assume it is not common for z3c.form users to have non-button actions or customize the ButtonActionHandler? Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
On Monday, April 04, 2011, Laurence Rowe wrote: The authenticator is described on http://pypi.python.org/pypi/plone.protect, but basically it adds an HMAC-SHA signed token into the form submission. By validating this you know that the submission came from a form that your site rendered, rather than an opportunistic 'drive-by' attack from another site. So why don't we make this a built-in feature then? The token manager (I think you call it the authenticator) needs to be smart, since it needs to deal with stale tokens and similar issues, but otherwise we could just add an authentication mechanism into z3c.form. Mmh, if the token gets stored in the session variable, then we do not even have to worry about token management, since the session container has already that logic. I have a feeling I am missing a level of complexity here... I'm happy to go with (3). I assume it is not common for z3c.form users to have non-button actions or customize the ButtonActionHandler? Not in my experience. Regards, Stephan -- Entrepreneur and Software Geek Google me. Zope Stephan Richter ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
Hi Laurence, Stephan Just because you can write login forms with z3c.form this package has nothing to do with authentication. That's just a form framework! Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? Regards Roger Ineichen -Ursprüngliche Nachricht- Von: zope-dev-boun...@zope.org [mailto:zope-dev-boun...@zope.org] Im Auftrag von Laurence Rowe Gesendet: Montag, 4. April 2011 15:37 An: zope-dev Betreff: [Zope-dev] CSRF protection for z3c.form I've been looking into how we might add CSRF protection to z3c.form forms as we will be including z3c.form in Plone 4.1. Currently in Plone, we use plone.protect to add an authentication token to our forms and then check the token in the methods that get called. (plone.protect is BSD licensed, but is Zope2 specific.) I think it's important for the integrator to be able to add an authentication policy to all z3c.form forms on a site, so I'd rather not rely on having all forms subclass some AuthenticatedForm. I can see a number of possible ways to implement this 1. Add a hook into z3c.form.form.Form along the lines of:: def update(self): super(Form, self).update() self.updateActions() self.authenticateSubmission() self.actions.execute() if self.refreshActions: self.updateActions() def authenticateSubmission(self): if self.actions.executedActions: authenticator = zope.component.queryMultiAdapter( (self, self.request, self.getContent()), interfaces.ISubmissionAuthenticator) if authenticator is not None: authenticator.authenticate() This would allow integrators to register an ISubmissionAuthenticator that would be called when there are actions to execute (so not when a form is just displayed.) 2. Similar to (1) but fire an event. This would allow multiple submission authenticators to be registered (e.g. for post-only as well as check-authenticator), but this makes it more difficult to restrict authenticators to only certain forms / requests / contexts. 3. Register a more specific version of z3c.form.button.ButtonActionsHandler which performs the check before executing the handler. This has the advantage of not requiring any changes to z3c.form, but the disadvantages that: only button actions are protected, and would be executed per action handler execution instead of once per submission. I'd be interested to know how other z3c.form users approach CSRF protection and what approach they would recommend. Laurence ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
On 2011-4-4 18:22, Roger wrote: Hi Laurence, Stephan Just because you can write login forms with z3c.form this package has nothing to do with authentication. That's just a form framework! Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? CSRF has nothing to do with authentication. It has to do with securing forms on websites. Wichert. -- Wichert Akkerman wich...@wiggy.net It is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope.component test isolation
Hi, it seems to me this has stalled somewhat, so I wanted to ask what people's conclusions are. * Wolfgang Schnerring w...@gocept.com [2011-03-26 13:41]: * Martin Aspeli optilude+li...@gmail.com [2011-03-26 11:22]: On 26 March 2011 08:11, Wolfgang Schnerring w...@gocept.com wrote: I don't think a fixture of package foo's configuration except component X and Y is all that useful. Whether the the unregister use case is useful remains debatable, but I personally don't care all *that* much for it, so if the consensus is that it's overkill I'll go along I guess. I do care quite a bit for proper getSiteManager() support... We do definitely need to allow the global site manager to be stacked (which you can achieve with __bases__ as in plone.testing, unregistration notwithstanding). But once you do that, the rest is pretty easy. The local site manager will always have the global as one of its (nested) __bases__. I'm sorry, but no, it isn't that easy. When the only local site consumer is zope.site, well, maybe. But please think of this in terms of zope.component *only*. Its API is getSiteManager.sethook(callable), and AFAICT the contract is that the return value of callable must provide IComponents (briefly: get* and register*). Nowhere does it say that you have to delegate back to the global registry, and neither it should. To bring up Pyramid once again, they explicitly don't, because they want to allow several applications (thus, several registries) coexisting in the same process. And since we can't assume this delegation, I think there is no other way to properly do the stacking than to bend getSiteManager. ... as described here, though. And I wonder if I'm missing something, because to do that properly looks like quite the can of worms to me. So, how can we proceed here? Should I (and Thomas) try to get a proof-of-concept implementation of this based on plone.testing? Or should we think about what it takes to merge most of plone.testing's ZCA support into zope.component itself first? Wolfgang ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2011 12:23 PM, Wichert Akkerman wrote: On 2011-4-4 18:22, Roger wrote: Hi Laurence, Stephan Just because you can write login forms with z3c.form this package has nothing to do with authentication. That's just a form framework! Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? CSRF has nothing to do with authentication. It has to do with securing forms on websites. Imagine that Alice Malice runs a site she tempts Bob Slob to visit while Bob is logged into your site with privileged credentials. Alice adds javascript to an apparently harmless page which spoofs submitting a form to your site on Bob's behalf, perhaps granting Alice extra permissions, or defacing your site. If your site uses CSRF-protected forms, then real forms will contain hidden field whose value is a signature (a hashed value known only to the server). The server generates the hash when it renders the form, and stores it in the authenticated user's session; when the form is submitted, the server checks that the hash is valid before processing the form. Because it has either a missing or an invalid hash, Alice's spoofed submission can be rejected. Tres. - -- === Tres Seaver +1 540-429-0999 tsea...@palladion.com Palladion Software Excellence by Designhttp://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2Z9XEACgkQ+gerLs4ltQ60XgCfdsFHMrONDJfLzk/1BNN+ovN9 1ksAn0zWEAnaod3Y3oDlvkCybds1ZMNA =2/zr -END PGP SIGNATURE- ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope.component test isolation
Hi, On 4 April 2011 17:30, Wolfgang Schnerring w...@gocept.com wrote: So, how can we proceed here? Should I (and Thomas) try to get a proof-of-concept implementation of this based on plone.testing? Or should we think about what it takes to merge most of plone.testing's ZCA support into zope.component itself first? I think either approach is valuable, and not necessarily mutually exclusive. I do care about the plone.testing API, which is used in production, so bear that in mind. Martin ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
On 04/04/2011 10:22 AM, Roger wrote: Just because you can write login forms with z3c.form this package has nothing to do with authentication. That's just a form framework! Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? This thread is using the word authenticate differently than most other Zope-related discussions. Here, we are authenticating the *form*, not the user. We need to be sure that submitted form data was produced by an authentic form. Otherwise, a crafty site could cause the user's browser to invoke some action in the background. BTW, the CSRF issue has existed as long as HTML forms have existed, but for some reason it has only drawn attention in the past year or two. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
Hi Shane -Ursprüngliche Nachricht- Von: Shane Hathaway [mailto:sh...@hathawaymix.org] Gesendet: Montag, 4. April 2011 19:54 An: d...@projekt01.ch Cc: 'Laurence Rowe'; 'zope-dev'; stephan.rich...@gmail.com Betreff: Re: [Zope-dev] CSRF protection for z3c.form On 04/04/2011 10:22 AM, Roger wrote: Just because you can write login forms with z3c.form this package has nothing to do with authentication. That's just a form framework! Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? This thread is using the word authenticate differently than most other Zope-related discussions. Here, we are authenticating the *form*, not the user. We need to be sure that submitted form data was produced by an authentic form. Otherwise, a crafty site could cause the user's browser to invoke some action in the background. I know what you mean. As long as this is not implemented in z3c.form I'm fine Because I don't belive in this kind of protection since I did some very fancy stuff with easyxdm. Regards Roger Ineichen BTW, the CSRF issue has existed as long as HTML forms have existed, but for some reason it has only drawn attention in the past year or two. Shane ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CSRF protection for z3c.form
Hi Stephan Betreff: Re: AW: [Zope-dev] CSRF protection for z3c.form On Monday, April 04, 2011, Roger wrote: Authentication is defently not a part of our z3c.form framework and should not become one. Why do you think authentication has something to do with the z3c.form library? Did I miss something? Roger, this has nothing to with user authentication, but rather form authenticity, as in: Has the user submitted the same form s/he has received in the first place. I was confused the first time I was reading. But it doesn't matter if we check authentication or page tokens. Both are a check for did the users browser access this page before. But anyway, form authencity is nice but an illusion. All we can do is to make it harder to attack a form. Google CSRF. The Wikipedia article was pretty good. I know the different concepts since I wrote some XXS based bookmark scripts and did some experiments with easyxdm and z3c.jsonrpcproxy. In my point of view a page token is just a part of a security concept and doesn't help as THE solution. Probably we could implement a mixin class like: class ProtectorMixin(object): def update(self): # inject and validate page token super(ProtectorMixin, self).update() Here are my reasons why this should not go to the default classes: - it slows things down - it suggests secure forms but doesn't without other protection concepts - it makes the not so simple z3c form concept even more complex - it's an overhead to protect any form by default or lookup non existing adapters What do you think? Regards Roger Ineichen ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] zope-tests - FAILED: 12, OK: 75, UNKNOWN: 2
This is the summary for test reports received on the zope-tests list between 2011-04-03 00:00:00 UTC and 2011-04-04 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received [1]UNKNOWN : Zope-trunk Python-2.6.5 : Linux [2]UNKNOWN : Zope-trunk-alltests Python-2.6.5 : Linux ZTK 1.0 / Python2.4.6 Linux 64bit ZTK 1.0 / Python2.5.5 Linux 64bit [3]ZTK 1.0 / Python2.6.5 Linux 64bit ZTK 1.0dev / Python2.4.6 Linux 64bit ZTK 1.0dev / Python2.5.5 Linux 64bit ZTK 1.0dev / Python2.6.5 Linux 64bit Zope 3.4 KGS / Python2.4.6 64bit linux Zope 3.4 KGS / Python2.5.5 64bit linux [4]Zope 3.4 Known Good Set / py2.4-32bit-linux [5]Zope 3.4 Known Good Set / py2.4-64bit-linux [6]Zope 3.4 Known Good Set / py2.5-32bit-linux Zope 3.4 Known Good Set / py2.5-64bit-linux Zope Buildbot / zope2.12-py2.6 slave-osx Zope Buildbot / zope2.12-py2.6 slave-ubuntu32 Zope Buildbot / zope2.12-py2.6 slave-ubuntu64 Zope Buildbot / zope2.13-py2.6 slave-osx Zope Buildbot / zope2.13-py2.6 slave-ubuntu32 Zope Buildbot / zope2.13-py2.6 slave-ubuntu64 Zope Buildbot / zope2.13-py2.7 slave-osx Zope Buildbot / zope2.13-py2.7 slave-ubuntu32 Zope Buildbot / zope2.13-py2.7 slave-ubuntu64 Zope Buildbot / zope2.13_win-py2.6 slave-win Zope Buildbot / zope2.13_win-py2.7 slave-win Zope Buildbot / zope2.14-py2.6 slave-osx Zope Buildbot / zope2.14-py2.6 slave-ubuntu32 Zope Buildbot / zope2.14-py2.6 slave-ubuntu64 Zope Buildbot / zope2.14-py2.7 slave-osx Zope Buildbot / zope2.14-py2.7 slave-ubuntu32 Zope Buildbot / zope2.14-py2.7 slave-ubuntu64 Zope Buildbot / zopetoolkit-1.0-py2.4 slave-osx Zope Buildbot / zopetoolkit-1.0-py2.4 slave-ubuntu32 Zope Buildbot / zopetoolkit-1.0-py2.4 slave-ubuntu64 Zope Buildbot / zopetoolkit-1.0-py2.5 slave-osx Zope Buildbot / zopetoolkit-1.0-py2.5 slave-ubuntu32 Zope Buildbot / zopetoolkit-1.0-py2.5 slave-ubuntu64 Zope Buildbot / zopetoolkit-1.0-py2.6 slave-osx Zope Buildbot / zopetoolkit-1.0-py2.6 slave-ubuntu32 Zope Buildbot / zopetoolkit-1.0-py2.6 slave-ubuntu64 Zope Buildbot / zopetoolkit-1.0_win-py2.4 slave-win Zope Buildbot / zopetoolkit-1.0_win-py2.5 slave-win Zope Buildbot / zopetoolkit-1.0_win-py2.6 slave-win Zope Buildbot / zopetoolkit-1.1-py2.5 slave-osx Zope Buildbot / zopetoolkit-1.1-py2.5 slave-ubuntu32 Zope Buildbot / zopetoolkit-1.1-py2.5 slave-ubuntu64 Zope Buildbot / zopetoolkit-1.1-py2.6 slave-osx [7]Zope Buildbot / zopetoolkit-1.1-py2.6 slave-osx Zope Buildbot / zopetoolkit-1.1-py2.6 slave-ubuntu32 Zope Buildbot / zopetoolkit-1.1-py2.6 slave-ubuntu64 Zope Buildbot / zopetoolkit-1.1_win-py2.5 slave-win Zope Buildbot / zopetoolkit-1.1_win-py2.6 slave-win Zope Buildbot / zopetoolkit-py2.5 slave-osx Zope Buildbot / zopetoolkit-py2.5 slave-ubuntu32 Zope Buildbot / zopetoolkit-py2.5 slave-ubuntu64 Zope Buildbot / zopetoolkit-py2.6 slave-osx Zope Buildbot / zopetoolkit-py2.6 slave-ubuntu32 Zope Buildbot / zopetoolkit-py2.6 slave-ubuntu64 Zope Buildbot / zopetoolkit_win-py2.5 slave-win Zope Buildbot / zopetoolkit_win-py2.6 slave-win Zope-2.10 Python-2.4.6 : Linux Zope-2.11 Python-2.4.6 : Linux Zope-2.12 Python-2.6.5 : Linux Zope-2.12-alltests Python-2.6.5 : Linux Zope-2.13 Python-2.6.5 : Linux Zope-2.13-alltests Python-2.6.5 : Linux winbot / ZODB_dev py_254_win32 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 [8]winbot / z3c.coverage_py_265_32 [9]winbot / z3c.rml_py_265_32 [10] winbot / zc_buildout_dev py_254_win32 [11] winbot / zc_buildout_dev py_265_win32 [12] winbot / zc_buildout_dev py_265_win64 [13] winbot / zc_buildout_dev py_270_win32 [14] winbot / zc_buildout_dev py_270_win64 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_dev py_254_win32 winbot / ztk_dev py_265_win32 winbot / ztk_dev py_265_win64 winbot / ztk_dev py_270_win32 winbot / ztk_dev py_270_win64 Non-OK results -- [1]UNKNOWN UNKNOWN : Zope-trunk Python-2.6.5 : Linux https://mail.zope.org/pipermail/zope-tests/2011-April/037200.html [2]UNKNOWN UNKNOWN : Zope-trunk-alltests Python-2.6.5 : Linux
