[Zope-dev] zope-tests - FAILED: 5, OK: 13

2013-09-18 Thread Zope tests summarizer 
This is the summary for test reports received on the 
zope-tests list between 2013-09-17 00:00:00 UTC and 2013-09-18 00:00:00 UTC:

See the footnotes for test reports of unsuccessful builds.

An up-to date view of the builders is also available in our 
buildbot documentation: 
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds

Reports received


   Successful - zopetoolkit_trunk - Build # 406
   winbot / ZODB_dev py_265_win32
   winbot / ZODB_dev py_265_win64
   winbot / ZODB_dev py_270_win32
   winbot / ZODB_dev py_270_win64
[1]winbot / zope.app.authentication_py_265_32
[2]winbot / zope.app.http_py_265_32
[3]winbot / zope.app.publication_py_265_32
[4]winbot / zope.app.wsgi_py_265_32
[5]winbot / zope.testbrowser_py_265_32
   winbot / ztk_10 py_254_win32
   winbot / ztk_10 py_265_win32
   winbot / ztk_10 py_265_win64
   winbot / ztk_11 py_254_win32
   winbot / ztk_11 py_265_win32
   winbot / ztk_11 py_265_win64
   winbot / ztk_11 py_270_win32
   winbot / ztk_11 py_270_win64

Non-OK results
--

[1]FAILED  winbot / zope.app.authentication_py_265_32
   https://mail.zope.org/pipermail/zope-tests/2013-September/078812.html


[2]FAILED  winbot / zope.app.http_py_265_32
   https://mail.zope.org/pipermail/zope-tests/2013-September/078813.html


[3]FAILED  winbot / zope.app.publication_py_265_32
   https://mail.zope.org/pipermail/zope-tests/2013-September/078811.html


[4]FAILED  winbot / zope.app.wsgi_py_265_32
   https://mail.zope.org/pipermail/zope-tests/2013-September/078814.html


[5]FAILED  winbot / zope.testbrowser_py_265_32
   https://mail.zope.org/pipermail/zope-tests/2013-September/078815.html


___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] (optional) CSRF protection in zope.formlib

2013-09-18 Thread Jan-Wijbrand Kolman 

On 9/18/13 5:26 PM, Leonardo Rochael Almeida wrote:

+1 for implementing convenient CSRF.

I wonder if you could make your implementation more orthogonal by
implementing a CSRF "field/widget", and make your `protected` attribute
simply trigger the inclusion of this field implicitly.

This way you wouldn't need to change the `*pageform.pt
` templates like you do now, and
`setupToken()`/`checkToken()` would move to the widget code.


I've considered and experimented with that approach. However, as soon as 
you do more complex things with setting up fields in your own form 
component, things potentially get hairy.


Furthermore, the form machinery tries to get values from the context 
object (in edit forms for example), for each field and tries to set 
values for this field on the context object when handling the submit. 
This would make handling this field special in way I didn't like.


But yes, the compromise in my implementation is, that you need to render 
the hidden input field "yourself" if you overwrite the default templates 
- and you most probably do.


For example, grok.formlib does bring its own "default" templates for 
forms. I'd need to update that package in case this implementation is 
accepted and lands.


regards, jw

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] (optional) CSRF protection in zope.formlib

2013-09-18 Thread Leonardo Rochael Almeida 
Hi Jan-Wij,

+1 for implementing convenient CSRF.

I wonder if you could make your implementation more orthogonal by
implementing a CSRF "field/widget", and make your `protected` attribute
simply trigger the inclusion of this field implicitly.

This way you wouldn't need to change the `*pageform.pt` templates like you
do now, and `setupToken()`/`checkToken()` would move to the widget code.

Cheers,

Leo


On Wed, Sep 18, 2013 at 11:41 AM, Jan-Wijbrand Kolman  wrote:

> Hi,
>
> I've been working on CSRF protection for zope.formlib.
>
> I have a "csrfprotection" branch in my zope.formlib fork on github. The
> changes against the current zope.formlib mainline can be found here:
>
> https://github.com/**janwijbrand/zope.formlib/**compare/csrfprotection
>
> When creating form components based on zope.formlib.form.FormBase, one can
> enable this protection just by setting the attribute ``protected`` to True
> on the component.
>
> This implementation is based on the following assumptions:
>
> * We do not want to keep server-side state(!)
>
> * An "attacker" that attempts CSRF cannot get to information stored in
> cookies that are meant for the domain of the (forged) request.
>
> * The token stored in the cookie is sufficiently random and long, to be
> practically "unguessable" by the attacker.
>
> * The form submit is deemed valid as long as the token in the cookie is
> identical to a hidden input value that is part of the form submit.
>
> My questions:
>
> * Do you find this feature useful enough to be, in principle, included in
> zope.formlib?
>
> * I'd like to kindly request someone to review my branch and provide
> feedback.
>
> The included test cases describe a few more questions and concerns about
> this implementation.
>
> Thank you in advance!
>
> kind regards, jw
>
> __**_
> Zope-Dev maillist  -  Zope-Dev@zope.org
> https://mail.zope.org/mailman/**listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
> https://mail.zope.org/mailman/**listinfo/zope-announce
> https://mail.zope.org/mailman/**listinfo/zope)
>
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] (optional) CSRF protection in zope.formlib

2013-09-18 Thread Jan-Wijbrand Kolman 

Hi,

I've been working on CSRF protection for zope.formlib.

I have a "csrfprotection" branch in my zope.formlib fork on github. The 
changes against the current zope.formlib mainline can be found here:


https://github.com/janwijbrand/zope.formlib/compare/csrfprotection

When creating form components based on zope.formlib.form.FormBase, one 
can enable this protection just by setting the attribute ``protected`` 
to True on the component.


This implementation is based on the following assumptions:

* We do not want to keep server-side state(!)

* An "attacker" that attempts CSRF cannot get to information stored in 
cookies that are meant for the domain of the (forged) request.


* The token stored in the cookie is sufficiently random and long, to be 
practically "unguessable" by the attacker.


* The form submit is deemed valid as long as the token in the cookie is 
identical to a hidden input value that is part of the form submit.


My questions:

* Do you find this feature useful enough to be, in principle, included 
in zope.formlib?


* I'd like to kindly request someone to review my branch and provide 
feedback.


The included test cases describe a few more questions and concerns about 
this implementation.


Thank you in advance!

kind regards, jw

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope-tests - FAILED: 6, OK: 12

2013-09-18 Thread Marius Gedminas 
On Wed, Sep 18, 2013 at 11:11:50AM +0300, Marius Gedminas wrote:
> On Wed, Sep 18, 2013 at 01:00:02AM +0200, Zope tests summarizer wrote:
> > [6]winbot / zope.testbrowser_py_265_32
> 
> The fix that was supposed to fix this didn't because
> https://github.com/Pylons/webtest/pull/87/files#r6427276

We're waiting for https://github.com/Pylons/webtest/pull/88 and WebTest
2.0.9 now.

Marius Gedminas
-- 
http://pov.lt/ -- Zope 3/BlueBream consulting and development


signature.asc
Description: Digital signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zope-tests - FAILED: 6, OK: 12

2013-09-18 Thread Marius Gedminas 
On Wed, Sep 18, 2013 at 01:00:02AM +0200, Zope tests summarizer wrote:
> [1]winbot / ZODB_dev py_265_win64

Non-deterministic test failure:

Failure in test 
c:\buildslave\zodb_dev_py_265_win64\build\src\ZODB\historical_connections.txt

--
File 
"c:\buildslave\zodb_dev_py_265_win64\build\src\ZODB\historical_connections.txt",
 line 220, in historical_connections.txt
Failed example:
[c in conns1 for c in conns2]
Expected:
[False, False, True, True]
Got:
[False, False, False, True]

Cleared up all by itself on next build.

> [2]winbot / zope.app.authentication_py_265_32
> [3]winbot / zope.app.http_py_265_32
> [4]winbot / zope.app.publication_py_265_32
> [5]winbot / zope.app.wsgi_py_265_32

WebTest version conflict

> [6]winbot / zope.testbrowser_py_265_32

The fix that was supposed to fix this didn't because
https://github.com/Pylons/webtest/pull/87/files#r6427276

Marius Gedminas
-- 
http://pov.lt/ -- Zope 3/BlueBream consulting and development


signature.asc
Description: Digital signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )