Log message for revision 69053:
tests for 'include' and 'raw' directives (which should
throw NotImplementError for security reasons)
Changed:
U Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py
-=-
Modified: Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py
Log message for revision 69055:
added dedicated tests for 'file' and 'url' options
Changed:
U Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py
-=-
Modified: Zope/trunk/lib/python/Products/ZReST/tests/test_ZReST.py
The Buildbot has detected a failed build of Zope trunk 2.4 Linux zc-buildbot.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6544
Blamelist: andreasjung,benji,benji_york,jim
BUILD FAILED: failed test
sincerely,
-The Buildbot
The Buildbot has detected a failed build of Zope trunk 2.4 Windows 2000
zc-bbwin6.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6544
Blamelist: andreasjung,benji,benji_york,jim
BUILD FAILED: failed compile
sincerely,
-The Buildbot
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think we should do a 2.9.4 release to incorporate the recent hot
fix.
This is easy for me to say,
The Buildbot has detected a failed build of Zope trunk 2.4 Windows 2000
zc-bbwin6.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6545
Blamelist: andreasjung
BUILD FAILED: failed compile
sincerely,
-The Buildbot
The Buildbot has detected a failed build of Zope trunk 2.4 Linux zc-buildbot.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6547
Blamelist: andreasjung
BUILD FAILED: failed test
sincerely,
-The Buildbot
___
The Buildbot has detected a failed build of Zope trunk 2.4 Windows 2000
zc-bbwin6.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6547
Blamelist: andreasjung
BUILD FAILED: failed compile
sincerely,
-The Buildbot
According to Andreas Jung:
Tres' patch is looking in fine to me. I don't see a need right now
for dropping reST with having file inclusing *removed*.
Has anyone written tests for Tres' patch? Apparently no one wrote
adequate tests for the last hot fix, which helped put us in this
--On 9. Juli 2006 12:29:24 +0200 Willi Langenberger [EMAIL PROTECTED]
wrote:
@Tres: what is the reason to keep the 'raw' code in docutils? I am in
favor to remove it and replace it with a NotImplementedError exception
(same as for the the 'include' code). The related tests (for
On Jul 8, 2006, at 3:06 PM, Andreas Jung wrote:
No, it is not. I haven't worked on the hotfix...so why would it be
up to me
write tests?
It's not. The person who *did* write the hot-fix didn't want the
feature in the first place. Tres stepped up and helped us in an
emergency. I imagine
On Jul 8, 2006, at 3:27 PM, Andreas Jung wrote:
--On 8. Juli 2006 15:05:21 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think this applies here as well.
1. ZClasses are not a security threat. reST is. That's a huge
difference.
Being a security thread or not ...how will you prove that
On Jul 8, 2006, at 3:34 PM, Tres Seaver wrote:
...
The monkeypatch in the hotfix *might* be defeated that way, sure. The
updated version of docutils I checked in will *not*, because it
disables
file inclusion inside the source of the dangerous handlers.
Another possible fix would be to
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of a
more
careful security review of docutils: none of us was aware of the
'raw'
directive as an attack vector for file inclusion until you
mentioned it
the other day.
On Jul 8, 2006, at 5:38 PM, Tino Wildenhain wrote:
Jim Fulton wrote:
...
You mean auditing. Testing would not help imho. Testing
only checks if expected behavior still works. And nobody
expects the spanish inquisiton *wink* ;)
You can test that trying to do fil-inclusion fails.
For
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jim Fulton wrote:
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of a more
careful security review of docutils: none of us was aware of the 'raw'
directive as an attack vector
On Jul 9, 2006, at 9:43 AM, Tres Seaver wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jim Fulton wrote:
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of
a more
careful security review of docutils: none of us was
--On 9. Juli 2006 10:10:53 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
That doesn't change the fact that when we found out about the threat
last fall, we didn't check all of the places in Zope where we were using
reST. You might say that this was because the person who did the hot
fix didn't
On Jul 9, 2006, at 10:47 AM, Andreas Jung wrote:
...
But that
just illustrates that our current approach of everyone is
responsible
for everything or, cynically, no one is responsible for anything
isn't working.
Isn't that the approach how Zope is working since years?
Yes, but Zope is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think we should do a 2.9.4
--On 9. Juli 2006 15:22:18 -0400 Tres Seaver [EMAIL PROTECTED] wrote:
I've written some tests (checked in on the trunk). They test the 'raw'
and 'include' directives
Great! Maybe we can add a similar set for the 'fmt=restructured-text'
in DTML.
Jup, but I won't the able to this over the
Tres Seaver wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think we
hi
I read almost all the archives about ASP404
but I can't findsomething usefulto me to lead me to my goal !
and also there is no perfect article about using IIS as
a web server in plone site
I 'll be so glad ifsomebodyhelp me
how can I work with
you wrote
The best way to run mkzopeinstance is to first su to another user (su
zope) and then run mkzopeinstance.py. The zope user must have write
access to create the directory.
what you mean by su zope and what directory the user should have rights to?
Ofer Weisglass wrote:
yes, it
I added the user in the zope.conf file
but this is what I get - is it because of the folder rights?
Traceback (most recent call last):
File /home/usr/zopeplone/lib/python/zdaemon/zdrun.py, line 719, in ?
main()
File /home/usr/zopeplone/lib/python/zdaemon/zdrun.py, line 716, in main
exactly!
I sugest the following:
- remove what you have done so far
- go to yast, create a user zope
- switch to this user
- install zope like this:
wget http://www.zope.org/Products/Zope/2.9.3/Zope-2.9.3.tgz
tar xvfz Zope-2.9.3.tgz
mv Zope-2.9.3 Zope-2.9.3-src
cd Zope-2.9.3-src
Thank you robert
first in the last line you wrote the command is zopectl fg
now I understand that you mean system user name zope
I want to install it on the user ofer and this is what I get now after
running zopectl fg
/ofer/zope/Zope293/lib/python/ZServer/utils.py:33: DeprecationWarning: The
you did NOT create the zope instance as user ofer! did you?
there is nothing to do as user root except creating a user account.
as you do it in your own account (i assume) then ther is nothing
to be done for root.
robert
Ofer Weisglass wrote:
Thank you robert
first in the last line you wrote
28 matches
Mail list logo