Re: [Zope-dev] zope-tests - FAILED: 6, OK: 12
On Wed, Sep 18, 2013 at 01:00:02AM +0200, Zope tests summarizer wrote: [1]winbot / ZODB_dev py_265_win64 Non-deterministic test failure: Failure in test c:\buildslave\zodb_dev_py_265_win64\build\src\ZODB\historical_connections.txt -- File c:\buildslave\zodb_dev_py_265_win64\build\src\ZODB\historical_connections.txt, line 220, in historical_connections.txt Failed example: [c in conns1 for c in conns2] Expected: [False, False, True, True] Got: [False, False, False, True] Cleared up all by itself on next build. [2]winbot / zope.app.authentication_py_265_32 [3]winbot / zope.app.http_py_265_32 [4]winbot / zope.app.publication_py_265_32 [5]winbot / zope.app.wsgi_py_265_32 WebTest version conflict [6]winbot / zope.testbrowser_py_265_32 The fix that was supposed to fix this didn't because https://github.com/Pylons/webtest/pull/87/files#r6427276 Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] zope-tests - FAILED: 6, OK: 12
On Wed, Sep 18, 2013 at 11:11:50AM +0300, Marius Gedminas wrote: On Wed, Sep 18, 2013 at 01:00:02AM +0200, Zope tests summarizer wrote: [6]winbot / zope.testbrowser_py_265_32 The fix that was supposed to fix this didn't because https://github.com/Pylons/webtest/pull/87/files#r6427276 We're waiting for https://github.com/Pylons/webtest/pull/88 and WebTest 2.0.9 now. Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development signature.asc Description: Digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] (optional) CSRF protection in zope.formlib
Hi, I've been working on CSRF protection for zope.formlib. I have a csrfprotection branch in my zope.formlib fork on github. The changes against the current zope.formlib mainline can be found here: https://github.com/janwijbrand/zope.formlib/compare/csrfprotection When creating form components based on zope.formlib.form.FormBase, one can enable this protection just by setting the attribute ``protected`` to True on the component. This implementation is based on the following assumptions: * We do not want to keep server-side state(!) * An attacker that attempts CSRF cannot get to information stored in cookies that are meant for the domain of the (forged) request. * The token stored in the cookie is sufficiently random and long, to be practically unguessable by the attacker. * The form submit is deemed valid as long as the token in the cookie is identical to a hidden input value that is part of the form submit. My questions: * Do you find this feature useful enough to be, in principle, included in zope.formlib? * I'd like to kindly request someone to review my branch and provide feedback. The included test cases describe a few more questions and concerns about this implementation. Thank you in advance! kind regards, jw ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] (optional) CSRF protection in zope.formlib
Hi Jan-Wij, +1 for implementing convenient CSRF. I wonder if you could make your implementation more orthogonal by implementing a CSRF field/widget, and make your `protected` attribute simply trigger the inclusion of this field implicitly. This way you wouldn't need to change the `*pageform.pt` templates like you do now, and `setupToken()`/`checkToken()` would move to the widget code. Cheers, Leo On Wed, Sep 18, 2013 at 11:41 AM, Jan-Wijbrand Kolman janwijbr...@gmail.com wrote: Hi, I've been working on CSRF protection for zope.formlib. I have a csrfprotection branch in my zope.formlib fork on github. The changes against the current zope.formlib mainline can be found here: https://github.com/**janwijbrand/zope.formlib/**compare/csrfprotectionhttps://github.com/janwijbrand/zope.formlib/compare/csrfprotection When creating form components based on zope.formlib.form.FormBase, one can enable this protection just by setting the attribute ``protected`` to True on the component. This implementation is based on the following assumptions: * We do not want to keep server-side state(!) * An attacker that attempts CSRF cannot get to information stored in cookies that are meant for the domain of the (forged) request. * The token stored in the cookie is sufficiently random and long, to be practically unguessable by the attacker. * The form submit is deemed valid as long as the token in the cookie is identical to a hidden input value that is part of the form submit. My questions: * Do you find this feature useful enough to be, in principle, included in zope.formlib? * I'd like to kindly request someone to review my branch and provide feedback. The included test cases describe a few more questions and concerns about this implementation. Thank you in advance! kind regards, jw __**_ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/**listinfo/zope-devhttps://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/**listinfo/zope-announcehttps://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/**listinfo/zopehttps://mail.zope.org/mailman/listinfo/zope) ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] (optional) CSRF protection in zope.formlib
On 9/18/13 5:26 PM, Leonardo Rochael Almeida wrote: +1 for implementing convenient CSRF. I wonder if you could make your implementation more orthogonal by implementing a CSRF field/widget, and make your `protected` attribute simply trigger the inclusion of this field implicitly. This way you wouldn't need to change the `*pageform.pt http://pageform.pt` templates like you do now, and `setupToken()`/`checkToken()` would move to the widget code. I've considered and experimented with that approach. However, as soon as you do more complex things with setting up fields in your own form component, things potentially get hairy. Furthermore, the form machinery tries to get values from the context object (in edit forms for example), for each field and tries to set values for this field on the context object when handling the submit. This would make handling this field special in way I didn't like. But yes, the compromise in my implementation is, that you need to render the hidden input field yourself if you overwrite the default templates - and you most probably do. For example, grok.formlib does bring its own default templates for forms. I'd need to update that package in case this implementation is accepted and lands. regards, jw ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] zope-tests - FAILED: 5, OK: 13
This is the summary for test reports received on the zope-tests list between 2013-09-17 00:00:00 UTC and 2013-09-18 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received Successful - zopetoolkit_trunk - Build # 406 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 [1]winbot / zope.app.authentication_py_265_32 [2]winbot / zope.app.http_py_265_32 [3]winbot / zope.app.publication_py_265_32 [4]winbot / zope.app.wsgi_py_265_32 [5]winbot / zope.testbrowser_py_265_32 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results -- [1]FAILED winbot / zope.app.authentication_py_265_32 https://mail.zope.org/pipermail/zope-tests/2013-September/078812.html [2]FAILED winbot / zope.app.http_py_265_32 https://mail.zope.org/pipermail/zope-tests/2013-September/078813.html [3]FAILED winbot / zope.app.publication_py_265_32 https://mail.zope.org/pipermail/zope-tests/2013-September/078811.html [4]FAILED winbot / zope.app.wsgi_py_265_32 https://mail.zope.org/pipermail/zope-tests/2013-September/078814.html [5]FAILED winbot / zope.testbrowser_py_265_32 https://mail.zope.org/pipermail/zope-tests/2013-September/078815.html ___ Zope-Dev maillist - Zope-Dev@zope.org https://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope )
