Re: [Zope-dev] Vulnerability in Zope
* Andy McKay [EMAIL PROTECTED] [010924 01:11]: Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for but Im not sure what this guy is on. I wouldnt count this as a security vulnerability. It's not an exploitable vulnerability (which is the only sort of vulnerability in my book ;) but it's as ugly as a warthog, and it would be nice to arrange things more gracefully. seb - Original Message - From: Chris Withers [EMAIL PROTECTED] To: Paul Everitt [EMAIL PROTECTED]; ALife [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, September 23, 2001 10:44 AM Subject: Re: [Zope-dev] Vulnerability in Zope Do others consider this a vulnerability? Yup... especially given the hard-coded (sigh) error page returned for authentication error gives out this information :-( Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote: Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 enter enter enter list files and directory This tested on my site: security.instock.ru 8080 This one really seems to be the old WebDAV is not safe one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ... Joachim I totally agree. Tracebacks should not be visible to anonymous users! Although I would hesitate to call this a vulnerability, it ranks up there with the old ability to call objectIds by URL as anonymous. The less information that anonymous users can glean about the server, the better. /---\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote: Vulnerability: attacking can get file list and directory Tested on Win32 platform Example: telnet zopeserver 8080 PROPFIND / HTTP/1.0 enter enter enter list files and directory This tested on my site: security.instock.ru 8080 This one really seems to be the old WebDAV is not safe one. I guess it has been tackled already. You should be able to switch the file listing off for the Anonymous User in Zope 2.4.1 ... Joachim I totally agree. Tracebacks should not be visible to anonymous users! Although I would hesitate to call this a vulnerability, it ranks up there with the old ability to call objectIds by URL as anonymous. The less information that anonymous users can glean about the server, the better. From a non-technical, PR-wise point of view let me add that this type of vulnerability easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. Proof: 17.9. A posting named Yet another path disclosure vulnerability targeted at oracle 9i appserver, and 21.9. RM Security Advisory: Xcache Path Disclosure Vulnerability both of which describe exactly the analogon to how zope handles things. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Shane Hathaway wrote: [...] PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? I think it's fine, but only if specified on the z2.py cmdline or other configuration equivalent (--paranoid or PARANOID=yes, please! come to mind :-). But I guess that goes without saying. Alternatively (or concurrently) we could reformat the traceback to report file names relative to Zope instalation directory (or to INSTANCE_HOME) instead of reporting the absolute filename. In this case the only leaked information is of the kind an attacker could easily obtain from downloading Zope source code, which, last time I looked, was available for all those damned script kiddies to download. Damn these opensource projects who keep posting their source code allowing Hackers(TM) to look at its vulnerabilities :-) Cheers, Leo ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote: Oliver Bleutgen wrote: From a non-technical, PR-wise point of view let me add that this type of vulnerability easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. You're right, a quick search on google for path disclosure vulnerability yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? Yes, the error log approach is far preferable. But, it would be nice if the browser got a message something like: An error has occurred : (stuff above traceback information is printed). Refer your administrator to the error log key and then prepend each line of the error log for this item with . Then a simple grep would be enough to find the particular error in question. [And it might be really nice if errors were emailed to an administrator, as well as logged. If this is done, it would probably be desirable to have some sort of per folder property in which the proper contact(s) could be listed.] Jim Penny Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Shane Hathaway wrote: PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? Well, how about just changing the brain-dead way standard_error_message works? The traceback should _not_ be _appended_ to the error message. If an app developer chooses to show it, then fine they can as they do already (mine sends me an error email ;-), but why should it be appended in all circumstances (even if it is in html quoting on production servers?!) Oh yeah, Authentication exceptions shouldn't return a hard coded error message either... bah humbug ;-) Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability in Zope
seb bacon wrote: * Andy McKay [EMAIL PROTECTED] [010924 01:11]: Haven't we been complaining about this automatic appending of tracebacks for a while? To me this is what log files are for but Im not sure what this guy is on. I wouldnt count this as a security vulnerability. It's not an exploitable vulnerability (which is the only sort of vulnerability in my book ;) but it's as ugly as a warthog, and it would be nice to arrange things more gracefully. I just had a _really_ bad attack of Deja Vu reading this thread :-S Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
From: Chris Withers [EMAIL PROTECTED] The traceback should _not_ be _appended_ to the error message. If an app developer chooses to show it, then fine they can as they do already (mine sends me an error email ;-), but why should it be appended in all circumstances Be careful of that -- I recently got *flooded* with error emails from a recent bout of the Code Red worm looking for files that weren't on my server :( ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
marc lindahl wrote: Be careful of that -- I recently got *flooded* with error emails from a recent bout of the Code Red worm looking for files that weren't on my server :( Yup, had that too... I patched BaseRequest.py to not bitch ;-) Mindyou I surpassed myself with a similar thing with a bit of Notes/Zope integration that resulted in me gettign 17,000 emails oen sunny morning... At least I know we have a decent mail server ;-) Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Hi shane, Oliver Bleutgen wrote: From a non-technical, PR-wise point of view let me add that this type of vulnerability easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. You're right, a quick search on google for path disclosure vulnerability yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. I had put something about that theme at the client-side trojan wiki, put I'll repeat myself since you mentioned it ... Methinks the creators of the http/1.1 rfc were aware of the dangers we call client-side trojan and wrote the following: 9.1.1 Safe Methods Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered safe. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. Zope really should not accept GET requests to dangerous manage_* (or other) methods, that would ensure it's at least compliant with the spirit of that rfc. If the user decides to use a browser which allows javascript to auto-submit forms and stuff, it's his choice. I have a feeling that other ideas like checking referer etc. are bound to fail after one or two generations of new browsers. We should have in mind that the same people who will design these browsers already had the bright idea of implementing auto-submitting of hidden forms. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? I fear it would make working with zope harder for unexperienced users. When working with apache/perl on linux, I always had a tail -f /var/log/httpd/error.log running in a terminal, but if you're solely working on windows without using the power of cygwin or other tools, this might get tedious. What I would like to see is a error product which can be freely configured to show more or less details depending on its context (i.e. user/role etc.) and able to optionally write to a log file. I know this is a lot of work and has its technical problems, but it's a nice imagination. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
On Monday 24 September 2001 10:59 am, Shane Hathaway allegedly wrote: [snip] PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? Shane My suggestion would be to hide it for all users except Managers by default. So that you aren't hosed if you don't have access to the server log files... /---\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Vulnerability: attacking can get file list and directory
On a high-traffic site, wouldn't the log get really big, really quickly with tracebacks? It is also nice to have the tracebacks in the browser window for debugging... Why not just enable tracebacks to clients from trusted IP address ranges or domains... Set this up as an option in Z2.py? Anyway, that's my 3-mile high take on it... Sean -Original Message- From: Shane Hathaway [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 7:59 AM To: Oliver Bleutgen Cc: [EMAIL PROTECTED] Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and directory Oliver Bleutgen wrote: From a non-technical, PR-wise point of view let me add that this type of vulnerability easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. You're right, a quick search on google for path disclosure vulnerability yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Custom Login
Hello, Recently, I had to replace ZPublisher's default authentication scheme, as part of a product I'm working on. I am aware of the existence of LoginManager, exUserFolder, etc., but in this case I needed to have a custom login screen at root level, i.e. completely get rid of the basic HTTP authentication and browser popup window. So I replaced some of the HTTPRequest and HTTPResponse methods in order to present the user an HTML form whenever an 'Unauthorized' exception is raised. While I'm sure such an issue has arisen hundreds of times, somehow I was unable to find a product or a How-To that specifically addresses it, which means either I don't know how to browse the Web, or nobody has bothered to document their knowledge in the area. So I went ahead and created a simple Zope product that, upon installing, makes the necessary changes in HTTPRequest and HTTPResponse (HotFix style), so that cookie-based, HTML form login replaces the default one. For the curious, the product can be found at http://www.prism.gatech.edu/~gte085h/zope/CustomLogin/ In regards to this product, I've been pondering some questions that I'd like to be answered by knowledgeable people, if possible: 1. Is there a product that makes the changes I described, and where can I find it? 2. Does anyone think it's a good idea to provide some kind of a standardized API for replacing ZPublisher's authentication? 3. If a user attempts to access a resource, and is denied access, my modified HTTPResponse simply redirects to the login form, without bothering to record the URL the user originally tried to access (which can be a bad or a good thing, I suppose). Is there any way for an HTTPResponse instance to find out the URL of its HTTPRequest? 4. Not entirely related to this topic, but I noticed that the ChannelPipe class, used for communication between ZServer and ZPublisher, serves only one object instance at a time. What would be some practical difficulties in changing this class to serve multiple HTTPResponse instances? Finally, after noticing the ongoing discussion about the error HTML contents produced by ZPublisher upon an exception, I'd like to point out that it's extremely trivial to replace HTTPResponse._error_html and provide either custom behavior (e.g. sending email to the administrator), or custom HTML code, whether loaded from a file or hardcoded. Is anyone interested in me writing a How-To on this topic? The product I described above, already does that, so it would be rather easy for me to put together some documentation, provided that nobody has bothered to write any. Let me know... Sincerely, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and dir ectory
[EMAIL PROTECTED] wrote: On a high-traffic site, wouldn't the log get really big, really quickly with tracebacks? It is also nice to have the tracebacks in the browser window for debugging... But the log won't grow more than Z2.log. Yes, it is nice to have the tracebacks in the browser window, but IMHO it is *not* helpful to have tracebacks hidden in HTML comments. Why not just enable tracebacks to clients from trusted IP address ranges or domains... Set this up as an option in Z2.py? Sounds useful. We need a fishbowl proposal. Anyway, that's my 3-mile high take on it... Thanks! Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Why not use logrotate, similarly to how you handle the Apache logs? Or set a cron job to clear the logs, if you don't like logrotate... [EMAIL PROTECTED] writes: On a high-traffic site, wouldn't the log get really big, really quickly with tracebacks? It is also nice to have the tracebacks in the browser window for debugging... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Custom Login
Ivan Raikov wrote: Recently, I had to replace ZPublisher's default authentication scheme, as part of a product I'm working on. I am aware of the existence of LoginManager, exUserFolder, etc., but in this case I needed to have a custom login screen at root level, i.e. completely get rid of the basic HTTP authentication and browser popup window. So I replaced some of the HTTPRequest and HTTPResponse methods in order to present the user an HTML form whenever an 'Unauthorized' exception is raised. While I'm sure such an issue has arisen hundreds of times, somehow I was unable to find a product or a How-To that specifically addresses it, which means either I don't know how to browse the Web, or nobody has bothered to document their knowledge in the area. Try either CookieCrumbler or CMF (which includes the cookie crumbler). You probably weren't able to find it simply because of the large number of products out there with overlapping capabilities and varying degrees of completeness. http://www.zope.org/Members/hathawsh/CookieCrumbler Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Vulnerability: attacking can get file list and directory
Personally, I think this really should be an integration issue instead of a Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to prevent this... Sean -Original Message- From: Oliver Bleutgen [mailto:[EMAIL PROTECTED]] Sent: Monday, September 24, 2001 9:10 AM To: [EMAIL PROTECTED] Subject: Re: [Zope-dev] Vulnerability: attacking can get file list and directory Hi shane, Oliver Bleutgen wrote: From a non-technical, PR-wise point of view let me add that this type of vulnerability easily gets zope mentioned on lists like bugtraq. The perception is that these thing really are vulnerabilities. You're right, a quick search on google for path disclosure vulnerability yields a lot of hits for lots of applications. It troubles me that people consider PDV to be important at all when the client-side trojan bug is still fully exploitable on all browsers including IE and Mozilla! (AFAIK) Client-side trojans, which can cause your browser to invisibly post a comment on a weblog, execute a financial transaction, or break into servers you maintain, are a major risk. I had put something about that theme at the client-side trojan wiki, put I'll repeat myself since you mentioned it ... Methinks the creators of the http/1.1 rfc were aware of the dangers we call client-side trojan and wrote the following: 9.1.1 Safe Methods Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered safe. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them. Zope really should not accept GET requests to dangerous manage_* (or other) methods, that would ensure it's at least compliant with the spirit of that rfc. If the user decides to use a browser which allows javascript to auto-submit forms and stuff, it's his choice. I have a feeling that other ideas like checking referer etc. are bound to fail after one or two generations of new browsers. We should have in mind that the same people who will design these browsers already had the bright idea of implementing auto-submitting of hidden forms. PDV just yields information you might give out anyway. But maybe we could deal with it anyway by writing an error.log instead of sending the traceback to the browser. What do you think? I fear it would make working with zope harder for unexperienced users. When working with apache/perl on linux, I always had a tail -f /var/log/httpd/error.log running in a terminal, but if you're solely working on windows without using the power of cygwin or other tools, this might get tedious. What I would like to see is a error product which can be freely configured to show more or less details depending on its context (i.e. user/role etc.) and able to optionally write to a log file. I know this is a lot of work and has its technical problems, but it's a nice imagination. cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and dir ectory
[EMAIL PROTECTED] wrote: Personally, I think this really should be an integration issue instead of a Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to prevent this... This hasn't been fixed because it's not well understood. Javascript can POST an invisible form, AFAIK. The problem occurs on the browsers of users who are *already authenticated*. It has nothing to do with Zope or any server software, really. Let's say I wanted to boost a stock price using a client-side trojan. I could post a page that gives the details about some fictitious seminar that helps people do better in the stock market. I could advertise my page on a stock trading site. I could add a frame of height 0 to this page. The frame would invisibly make a request to the stock trading site that would buy a certain stock. If I use an anonymizer, I might be able to make a few bucks. It would work because the unknowing visitor would be logged in with a cookie. The script acts as an agent for the user. The problem is that there is no way for the stock trading site to tell the difference between the user and the agent. I don't know of any actual exploits, but I think it's a much more serious issue than revealing paths. :-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ZCatalog problem: sort_on bug
I'm getting a strange problem with ZCatalog, using python 2.1, Zope from CVS. I get all the results I expect with this: ul dtml-in Catalog(process_step=['start','mailed']) li dtml-subject_name; -- dtml-relationship_name; - dtml-rater_name; /dtml-in /ul But, I only get one subject_name's worth of results with this: ul dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name') li dtml-subject_name; -- dtml-relationship_name; - dtml-rater_name; /dtml-in /ul This smells like a BTrees bug to me, but I'm not sure. I'm looking into this closely now, but if anyone's seen this before, please speak up! -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog problem: sort_on bug
Steve Alexander wrote: I'm getting a strange problem with ZCatalog, using python 2.1, Zope from CVS. I get all the results I expect with this: ul dtml-in Catalog(process_step=['start','mailed']) li dtml-subject_name; -- dtml-relationship_name; - dtml-rater_name; /dtml-in /ul But, I only get one subject_name's worth of results with this: ul dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name') li dtml-subject_name; -- dtml-relationship_name; - dtml-rater_name; /dtml-in /ul This smells like a BTrees bug to me, but I'm not sure. I'm looking into this closely now, but if anyone's seen this before, please speak up! More data: This gives partial results: dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name') This gives full results: dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name')[:] This gives full results: dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name') sort=subject_name -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog problem: sort_on bug
Steve Alexander wrote: This gives partial results: dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name') ...because this returns a LazyCat instance, for which len() is broken. This gives full results: dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name')[:] ...because this is a list. This gives full results: dtml-in Catalog(process_step=['start','mailed'], sort_on='subject_name') sort=subject_name ...because this is a LazyMap instance, for which len() works. Patch coming up soon... -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog problem: PATCH
Steve Alexander wrote: Patch coming up soon... Patch against Catalog.py, from CVS: *** lib/python/Products/ZCatalog/Catalog.py.original --- lib/python/Products/ZCatalog/Catalog.py.patched *** *** 673,679 if (type(so) is type('') and lower(so) in ('reverse', 'descending')): r.reverse() ! r=LazyCat(map(lambda i: i[1], r), len(r)) return r --- 673,681 if (type(so) is type('') and lower(so) in ('reverse', 'descending')): r.reverse() ! r=map(lambda i: i[1], r) ! r=LazyCat(r, reduce(lambda x,y: x+len(y), r, 0)) ! return r I'd use a list comprehension instead of a map(lambda...) if I thought it would get past Jim ;-) -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] removal of User Folders
Is there some function that is called when a User Folder is removed? If so, what is it? If not, is there a recommended way to delete users, any information stored about the User Folder's configuration, etc.? Thanks. Jim Penny ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] RE: Barriers to Zope popularity: Part 2: source control
-Original Message- From: Kenichi Sato Sent: Monday, 24 September 2001 5:49 PM To: djay Subject: Barriers to Zope popularity: Part 2: source control Dear Mr. Jay, Dylan, I am Ken Sato, a manager of software development projects. I'm now taking a look at Zope as a tool to publish project related information internally. Zope looks nice but I found it has two potential problems. 1. WYSIWYG editing 2. Source control (by ClearCase) Then, I found that you pointed out exactly same things in the zope-dev mailing list. (http://lists.zope.org/pipermail/zope-dev/1999-September/001602.html) Because the post was two years ago, I wonder if you have already solved the above problems. It would be very helpful for me if you could give me some information on this issue, please. Hope you don't mind me CC'ing this to zope-dev. I still see both these issues as important and still see the lack of progress towards Zope working well in traditional development environments being a real outage. Plus others may have different opinions about the current state of affairs 1. I have not used Zope Page Templates but these are supposed to solve the wysiwyg problem. They are an alternative to DMTLDocuments. They allow for much better seperation of code and presentation. Get you graphics people to use webdav to edit the html with whatever editor they want and the coding people argment the html rather than rip it appart. http://www.zope.org/Documentation/Articles/ZPT1 Personally I like DTML and back then I did suggest a way DTML could used in a similar way to Page Templates (basically have a view mode of a DTML document that incorparates the rendered content as well as the DTML code such that when the page is edited and saved back, it will save all the changed parts back to the where they came from, i.e. the different DTMLMethods that made up the page). but like most of my ideas I din't have the ability or time to implement it. 2. Hasn't really been solved. There are sort of attempts that work now with CVS (I havn't tried it) http://www.zope.org/Members/sspickle/ZCVSMixin This but there are proposals that will better solve this problem, but no implementation on the way that I can see. The problem is really one of synchronization. You want two different representations that are both kept upto date. One for zope to use, one for all the reasons we have things under source control. You may or may not want control of when the synchronization occurs. Here are some related proposals http://www.zope.org//Wikis/DevSite/Proposals/SynchronizationMechanismZCVSMix in http://www.zope.org/Wikis/DevSite/Proposals/SynchronizationTab http://www.zope.org/Wikis/DevSite/Proposals/RepresentingObjectsOnTheFilesyst em I also see a lot of parallels with the work going on with ZODB replication. If you had replication between a normal ZODB and some filesystem source control ZODB then you would have the source control synchronization problem solved maybe? http://dev.zope.org/Wikis/DevSite/Projects/ZEOReplicatedStorage/FrontPage ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] apache ProxyPass and REMOTE_ADDR -- any further discussion or
consensus? User-Agent: Wanderlust/2.5.8 (Smooth Criminal) SEMI/1.14.3 (Ushinoya) FLIM/1.14.2 (Yagi-Nishiguchi) APEL/10.3 MULE XEmacs/21.4 (patch 1) (Copyleft) (i386-debian-linux) Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 (generated by SEMI 1.14.3 - Ushinoya) Content-Type: text/plain; charset=US-ASCII Hello. I have put together a patch (see below) which adds the necessary support for performing user authentication based on domain (and logging) if your zope server is hiding behind apache+mod_proxy+mod_proxy_add_forward. I noticed a posting to zope-dev early this year regarding apache ProxyPass and SiteAccess http://aspn.activestate.com/ASPN/Mail/Message/zope-Dev/479449 Has there been any further discussion or consensus on this issue? regards, - joe n. *** Zope-2.4.1-src/ZServer/HTTPServer.pyWed Aug 8 22:04:32 2001 --- zope-2.4.1/ZServer/HTTPServer.pyTue Sep 25 12:01:55 2001 *** *** 294,299 --- 294,315 if value and not env_has(key): env[key]=value env.update(self.env_override) + + # set REMOTE_ADDR_X and REMOTE_HOST_X + if env_has('HTTP_X_FORWARDED_FOR'): + # only fetch last addr -- appended by mod_proxy_add_forward + remote_addr_x = strip(split(env['HTTP_X_FORWARDED_FOR'], ,)[-1]) + if remote_addr_x != '': + env['REMOTE_ADDR_X']=remote_addr_x + # If we're using a resolving logger, try to get the + # remote host from the resolver's cache. + if hasattr(server.logger, 'resolver'): + dns_cache=server.logger.resolver.cache + if dns_cache.has_key(env['REMOTE_ADDR_X']): + remote_host_x=dns_cache[env['REMOTE_ADDR_X']][2] + if remote_host_x is not None: + env['REMOTE_HOST_X']=remote_host_x + return env def continue_request(self, sin, request): *** Zope-2.4.1-src/ZServer/medusa/http_server.pyTue Jul 3 04:45:22 2001 --- zope-2.4.1/ZServer/medusa/http_server.pyTue Sep 25 12:29:08 2001 *** *** 284,291 else: name = t[0] self.channel.server.logger.log ( ! self.channel.addr[0], ' - %s [%s] %s %d %d %s %s\n' % ( name, self.log_date_string (time.time()), --- 284,295 else: name = t[0] + channel_addr=self.get_header('X-Forwarded-For') + if channel_addr: channel_addr = string.strip(string.split(channel_addr, +,)[-1]) + if not channel_addr: channel_addr = self.channel.addr[0] + self.channel.server.logger.log ( ! channel_addr, ' - %s [%s] %s %d %d %s %s\n' % ( name, self.log_date_string (time.time()), *** Zope-2.4.1-src/lib/python/AccessControl/User.py Sat Aug 4 22:49:26 2001 --- zope-2.4.1/lib/python/AccessControl/User.py Tue Sep 25 12:00:54 2001 *** *** 1039,1048 if len(spec) == 1 and spec[0] == '*': return 1 ! if request.has_key('REMOTE_HOST'): host=request['REMOTE_HOST'] ! if request.has_key('REMOTE_ADDR'): addr=request['REMOTE_ADDR'] if not host and not addr: --- 1039,1052 if len(spec) == 1 and spec[0] == '*': return 1 ! if request.has_key('REMOTE_HOST_X'): ! host=request['REMOTE_HOST_X'] ! elif request.has_key('REMOTE_HOST'): host=request['REMOTE_HOST'] ! if request.has_key('REMOTE_ADDR_X'): ! addr=request['REMOTE_ADDR_X'] ! elif request.has_key('REMOTE_ADDR'): addr=request['REMOTE_ADDR'] if not host and not addr: ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope on Windows: enhancements proposed
We've got a wonderful zope control panel (which installs into the standard windows Control Panel) and zope service which we'll be making available in binary and source form this week. Like the Mac OS X controller, this is simply a trivial re-branding extension of our work in supporting the usability of our Bizar Shop product. The windows controller works on win95/win98/NT/win2k. It controls a real windows service on platforms were services are run (NT/win2k), and otherwise controls a service daemon which stays in the system tray. We'll call this service Zope, and its job is to lauch python [script] [args] with some Zope-specific environment fiddling (INSTANCE_HOME env, cd ${SOFTWARE_HOME}, STUPID_LOG_FILE env). The current method of starting Zope as a windows service using PythonService.exe is kludgy, mostly because of the unnecessary layer of python. The Zope binary distribution's use of PythonService.exe does the same thing that our Zope service does (in the end), which is to lauch python z2.py [args]. We'd like to propose that the service distributed with Zope move over to using our code. Our control panel will be able to control Zope (WebSite), but we probably won't offer the ability to configure it (editing the z2[s].py file in-place is possible - we do that now - but it's rather hackish). So, best scenario is that Zope ships with the controller and our service. Worst scenario is that the controller is downloaded separately and can only stop/start PythonService. In the second case, we'd still ship our service and install it - meaning that there'd be two Zope services in the service manager, but at least the controller, which appears in the control panel, would still be able to fully control Zope. As a separate issue - we're curious about the naming of the Zope installation - why is it called WebSite (and the Zope service Zope (WebSite))? The name clashes with another product that's fairly well-known in the windows community originally from O'Reilly: http://www.oreilly.com/software/index.html ... and since Zope is a fairly distinctive name ... Richard ps. happy to put this up as a project if required. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope on Windows: enhancements proposed
We'd like to propose that the service distributed with Zope move over to using our code. Great, Im really looking forward to an improved Windows installation. But lets get it out there play with it before anything major happens like shipping Zope with it :) As a separate issue - we're curious about the naming of the Zope installation - why is it called WebSite (and the Zope service Zope (WebSite))? The name clashes with another product that's fairly well-known in the windows community originally from O'Reilly: http://www.oreilly.com/software/index.html ... and since Zope is a fairly distinctive name ... It is annoying but Zope wins there because OReilly isnt making WebSite anymore. Its just a name, I find the Zope (%s) bit more annoying than anything :) ps. happy to put this up as a project if required. Thats probably a good idea. What about other issues such as install and removing service easily later, STDERR logging not going to /dev/null, lack of start menu icons and other windows issues... Cheers -- Andy McKay ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope on Windows: enhancements proposed
On Tuesday 25 September 2001 14:23, Andy wrote: We'd like to propose that the service distributed with Zope move over to using our code. Great, Im really looking forward to an improved Windows installation. But lets get it out there play with it before anything major happens like shipping Zope with it :) Fer sure :) It is annoying but Zope wins there because OReilly isnt making WebSite anymore. Yeah, they seem to have sold it to someone else... Its just a name, I find the Zope (%s) bit more annoying than anything :) Agreed. ps. happy to put this up as a project if required. Thats probably a good idea. What about other issues such as install and removing service easily later, STDERR logging not going to /dev/null, lack of start menu icons and other windows issues... These are all things we've addressed, but it'd be good to note them somewhere. We've tried to make the process of using Zope (and hence our product) as painless to the average Windows user (and Mac user) as possible. Richard ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Create directory in LocalFS
Can anyone tell me how to create a subdirectory programmatically under a LocalFS folder? I have a LocalFS folder called images. When I add a new promoter to my site, I'd like to automatically add a directory that would hold that promoter's images. If the promoter's ID number is 187, I want to create a subdirectory '187' under images/Companies/100. Jeff Nielsen / UgoFast http://www.UgoFast.com [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope on Windows: enhancements proposed
These are all things we've addressed, but it'd be good to note them somewhere. We've tried to make the process of using Zope (and hence our product) as painless to the average Windows user (and Mac user) as possible. Oooh, Im a happy camper. -- Andy ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )