Re: [Zope-dev] version status
Brian Lloyd wrote: > Have you tested to ensure that the 2.6.2 (CVS) is still open to the > DoS? If so, could you give me a quick scenario that I could use to > reproduce it? I haven't tested 2.6.2, I tested CVS HEAD, assuming the code change to both was the validated_hook in Zope/App/startup.py then 2.6.2 is vulnerable as well. The hacky bash script I posted earlier was the test I used, but you can test it just by going to a host running the latest code and appending ?Zope-Version=foo to the URL. If it creates a new, persistent, zodb connection in the version foo, then you can be had. The rule of thumb is: if an anonymous client can force an application server to store persistent data accross transactions, then the server will be vulnerable to a DoS attack. Shane Hathaway wrote: > - Anonymous users can still open a versioned database connection > (although now they can't use it) > - Merely opening a versioned connection consumes resources > - Zope does not free those resources as it should 100% correct. Frankly I'm not entirely convinced anonymous users should ever be able to open a zodb connection, but I have no technical evidence to back that up, its just a hunch. Oliver Bleutgen wrote: > This is not purely aesthetical reasoning, since cookies can be trusted a > bit more than other variables coming from the request. You can't inject > them from third party sites, for instance. Well actually you can inject them from 3rd party sites if the browser is IE, but that probably doesn't come as a surprise to anyone, IE is notoriously insecure. Toby Dickenson wrote: > Ive not tested Jims code, but it looks to me like it *should* stop that > attack. Have you tested it? Yes, you get a 401 now, but by that time the damage has been done. -- Jamie Heilman http://audible.transient.net/~jamie/ "It's almost impossible to overestimate the unimportance of most things." -John Logue ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Request method
Anitha George wrote: Hii Could any of you please tell me what is the request method used in Zope to go back to the page from where I have come. Plss do send a reply soonnn... Thanks Anitha Anitha, I think questions of this nature are better sent to [EMAIL PROTECTED] (zope-dev mostly means development _of_ zope, not with), I've set a Cc: accordingly. To answer your question, do you want to know the URI of the page the browser came from? That'd be REQUEST.HTTP_REFERER . Not that this is not reliable, though, because it depends on the client to send that information. HTH, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Request method
Hii Could any of you please tell me what is the request method used in Zope to go back to the page from where I have come. Plss do send a reply soonnn... Thanks Anitha _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] version status
Shane Hathaway wrote: Jamie Heilman wrote: Whats the status of versions for 2.6.2 and 2.7? Have there been any decisions reached? I saw Jim's code get checked in but it won't stop the DoS I posted. Say it a little louder. Here is what I think you're saying: - Anonymous users can still open a versioned database connection (although now they can't use it) - Merely opening a versioned connection consumes resources - Zope does not free those resources as it should Can you confirm that's what you're seeing? Either we need to make Zope free the resources, or if that's not possible, we need a different strategy. If I may also add something else, it might be a good idea to limit the namespace where zope looks for a variable named "Zope-Version". Both ZApplication.py and the patch look for this variable in the whole REQUEST, (i.e. via request.get(...)). I'd propose to change that to REQUEST.cookies.get(...). As it is, it violates the principle of least surprise and is also a tad inconsistent, because the patch even assumes that the "Zope-Version" variable came via a cookie (it tries to delete said cookie). This is not purely aesthetical reasoning, since cookies can be trusted a bit more than other variables coming from the request. You can't inject them from third party sites, for instance. Limiting the lookup only to REQUEST.cookies would also make client side trojan attacks a bit harder (not that you can't do much worse things with these kinds of attacks). cheers, oliver ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] version status
On Sunday 15 June 2003 08:11, Jamie Heilman wrote: > Whats the status of versions for 2.6.2 and 2.7? Have there been any > decisions reached? I saw Jim's code get checked in but it won't > stop the DoS I posted. Ive not tested Jims code, but it looks to me like it *should* stop that attack. Have you tested it? -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] version status
Jamie Heilman wrote: Whats the status of versions for 2.6.2 and 2.7? Have there been any decisions reached? I saw Jim's code get checked in but it won't stop the DoS I posted. Say it a little louder. Here is what I think you're saying: - Anonymous users can still open a versioned database connection (although now they can't use it) - Merely opening a versioned connection consumes resources - Zope does not free those resources as it should Can you confirm that's what you're seeing? Either we need to make Zope free the resources, or if that's not possible, we need a different strategy. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Re: [Zope-Coders] Bug day?
> I assume you meant Tuesday the 17th. > > It is currently the 16th, but it is not yet Tuesday. However, if > it is the > management's decision that today shall be Tuesday, than I shall > do my duty > and respect that decision ;^) > > time-is-relatively y'rs, > > -Casey Rats - you've foiled my plan. I guess I won't be able to get away with scheduling the next one for Wed. the 32nd. In the interest of the integrity of the space-time continuum, we'll leave Tuesday where it is and do it then. ;) Brian Lloyd[EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope-Coders] Bug day?
I assume you meant Tuesday the 17th. It is currently the 16th, but it is not yet Tuesday. However, if it is the management's decision that today shall be Tuesday, than I shall do my duty and respect that decision ;^) time-is-relatively y'rs, -Casey On Wednesday 11 June 2003 10:08 pm, Brian Lloyd wrote: > Hi all - > > We had been planning to make a Zope 2.7a1 release on Friday, > and another 2.6.2 beta soon as well. Someone noted (rightly!) > that it would be ideal if we could have a bugday first. > > So I'll propose next Tuesday the 16th be bug day, and we'll > plan to make both releases by the end of next week. > > Thoughts? > > > Brian Lloyd[EMAIL PROTECTED] > V.P. Engineering 540.361.1716 > Zope Corporation http://www.zope.com > > > ___ > Zope-Coders mailing list > [EMAIL PROTECTED] > http://mail.zope.org/mailman/listinfo/zope-coders > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] storing passwords
[EMAIL PROTECTED] wrote: Or SimpleUserFolder: create a user folder class in a Zope product that subclasses both SimpleUserFolder and OFS.Folder. Then put ZSQL methods and a few TTW python scripts in the folder contents of an instance of this class to make it work. I've done something similar to this with relative success. Hmmm... I prefer to just put the SQL method in the folder containing the SUF, no need for subclassing and knowing how to write Zope Products then... cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] storing passwords
Markus Bengts wrote: I want to use the same usernames and passwords in Zope and some other servers. The usernames and password digests are stored in a PostgreSQL database, and a given username and password -pair can be checked with a simple SQL-query. SimpleUserFolder will let you do this with the addition of a single ZSQL query... cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZMI tweak
On Monday 16 June 2003 08:05, Toby Dickenson wrote: > On Saturday 14 June 2003 16:53, Christian Theune wrote: > > When catching up with the mail in the mailinglist, I remembered a small > > annoyance I'm having with the ZMI. I really appreciate the errorlog and > > am using it frequently. But if you don't put it it's own window (or tab) > > you always need two clicks to reach it. I once put it's icon in the > > upper ZMI bar to move me to the servers central error log. > > > > Is this something that others would like too? > > I have a number of objects that provide site-global information like the > error log. I have occasionally considered developing a mechanism to allow > them to hook into the global gui; either the top bar or Control_Panel. To throw in an extra idea... For a long time I have been using a patch that puts BASE0 and the title of the root folder in the ZMI top bar. The reasons for wanting this should be appreciated by anyone who has ever had two browser windows open for two different zope sites, and made a change in the wrong one. The patch is in toby-zmi-title-branch (the branch tag is only on the lib/python/App/dtml directory) -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZMI tweak
On Saturday 14 June 2003 16:53, Christian Theune wrote: > When catching up with the mail in the mailinglist, I remembered a small > annoyance I'm having with the ZMI. I really appreciate the errorlog and > am using it frequently. But if you don't put it it's own window (or tab) > you always need two clicks to reach it. I once put it's icon in the > upper ZMI bar to move me to the servers central error log. > > Is this something that others would like too? I have a number of objects that provide site-global information like the error log. I have occasionally considered developing a mechanism to allow them to hook into the global gui; either the top bar or Control_Panel. -- Toby Dickenson http://www.geminidataloggers.com/people/tdickenson ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
