[Zope] ZEO clusters on a single box

2008-08-12 Thread Jean Jordaan 
Hi there

We have a server running many ZEO clusters (many more than the number of
CPUs, of course). Each cluster consists of a master and two clients.

Would it make sense to run both clients and spread requests across them?

Or would it be better to just increase the number of threads of a single
client, and only use the second client for './bin/zopectl debug', and
for failover if the first client needs to be restarted?

Would it ever make sense to have *more* than 2 clients per master, in
this scenario (many more processes than CPUs)?

So far, I've had the following response to my questions:

"""
[...] at every zope/plone conference there are people who claim that
adding more threads makes no difference and that you should rather add
more zeo clients, but my CS background says more threads can share
memory and perform better. But for zope it seems that each threads
maintains it's own cache anyway, so there is little memory sharing going
on. You may as well run 10 clients with one thread each rather than one
client with 10 threads, it would make little difference other than the
overhead for the extra process, which is less than 100MB.

I'm a little disappointed in zope's memory usage patterns. It doesn't
really matter how much memory you have or what sorts of limits you
impose, it seems zope always uses more and more until it consumes about
1GB of swap and starts killing the box. So you need to monitor RAM usage
with nagios or something and restart the instance every so often.

On some of our managed machines we restart zope about once an hour
because of this. That just doesn't make good sense, you kill your cache
every time.
"""

RTFM with pointers most appreciated.

-- 
jean . ..  //\\\oo///\\
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg 
On 2008-08-12 20:49, Andreas Jung wrote:
> --On 12. August 2008 17:14:15 + Maurits van Rees 
> <[EMAIL PROTECTED]> wrote:
> 
>> Andreas Jung, on 2008-08-12:
> After rough test: it seems to work for Zope trunk, 2.10 and 2.11
> but has a failure for Zope 2.8.

 I forgot to mention that the hotfix also seems to work for Zope 2.9.
 (third-party confirmations are highly appreciated).
>>>
>>> Update: the hotfix although works for Zope 2.8 (tested with
>>> a running Zope instance - however the testrunner does not seem
>>> to import Hotfix though the included tests under 2.8 aren't
>>> found/executed).
>>
>> In Zope 2.8, when I place the Hotfix in the Products dir of the
>> instance, the two tests pass when I run the tests like this:
>>
>>   bin/zopectl test --dir=Products/Hotfix_20080812/
>>
>> That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz
>>
>> I tested on Zope 2.8, 2.9, 2.10, 2.11.  All with python 2.4.  Without
>> the hotfix "raise SystemExit" crashed Zope.  I could not confirm the
>> other problem; that just gave me a LookupError.  With the hotfix in
>> the Products dir of the instance, the crash did not occur and the
>> tests passed.

The .encode() example will only trigger if the Python test suite is
installed in your Python version. Some distros move this into a
separate package, so if this is not installed, that particular
example won't work.

> Thanks for further testing. I released V 0.2 of the hotfix containing
> your fixes. The hotfix also works with Zope 2.7...this should be enough.
> If there are no objections I would like to release the hotfix officially 
> at some time tomorrow.

Please add a warning to be extra careful when enabling edit/create/modify
access to PythonScripts in the ZMI.

Thanks,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 13 2008)
 >>> Python/Zope Consulting and Support ...http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


 Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! 


eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 



--On 12. August 2008 17:14:15 + Maurits van Rees 
<[EMAIL PROTECTED]> wrote:



Andreas Jung, on 2008-08-12:

After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.


I forgot to mention that the hotfix also seems to work for Zope 2.9.
(third-party confirmations are highly appreciated).


Update: the hotfix although works for Zope 2.8 (tested with
a running Zope instance - however the testrunner does not seem
to import Hotfix though the included tests under 2.8 aren't
found/executed).


In Zope 2.8, when I place the Hotfix in the Products dir of the
instance, the two tests pass when I run the tests like this:

  bin/zopectl test --dir=Products/Hotfix_20080812/

That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz

I tested on Zope 2.8, 2.9, 2.10, 2.11.  All with python 2.4.  Without
the hotfix "raise SystemExit" crashed Zope.  I could not confirm the
other problem; that just gave me a LookupError.  With the hotfix in
the Products dir of the instance, the crash did not occur and the
tests passed.



Thanks for further testing. I released V 0.2 of the hotfix containing
your fixes. The hotfix also works with Zope 2.7...this should be enough.
If there are no objections I would like to release the hotfix officially at 
some time tomorrow.


Andreas


pgpaMACL0dvg3.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Persistent Mapping error with TinyTablePlus.

2008-08-12 Thread Ignacio Valdes 
Hi Chris, When I try to change a Squishdot rightbox_items title or even not
change anything and try to save it out I get this error thrown:

Site Error

An error was encountered while publishing this resource.

NameError
Sorry, a site error occurred.

Traceback (innermost last):

  * Module ZPublisher.Publish, line 194, in publish_module_standard
  * Module Products.PlacelessTranslationService.PatchStringIO, line
34, in new_publish
  * Module ZPublisher.Publish, line 146, in publish
  * Module Zope2.App.startup, line 222, in zpublisher_exception_hook
  * Module ZPublisher.Publish, line 115, in publish
  * Module ZPublisher.mapply, line 88, in mapply
  * Module ZPublisher.Publish, line 41, in call_object
  * Module Products.TinyTablePlus.TinyTablePlus, line 446, in manage_editData
  * Module Products.TinyTablePlus.TinyTablePlus, line 509, in _GenerateIndex

NameError: global name 'PersistentMapping' is not defined (Also, the
following error occurred while attempting to render the standard error
message, please see the event log for full details:
'standard_html_header')
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andrew Milton 
+---[ Andreas Jung ]--
| 
| My conclusion after almost 9 years with Zope: PythonScripts and trusted
| code was a good and nice feature in the "early days" of Zope. The future
| is clearly trusted code in all its flavors. RestrictedPython, 
| through-the-web editing (ZMI) and stuff like ZClasses should die

+oo

-- 
Andrew Milton
[EMAIL PROTECTED]
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 



--On 12. August 2008 19:38:16 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]> wrote:


On 2008-08-12 18:04, Tres Seaver wrote:

Garito wrote:

The same question again and again



As a Zope user I prefer to know as soon as possible if Zope has security
problems like those



Perhaps the correct way will be to send the problem to the zope people
and 2 weeks later then make it public



I think 2 weeks is a very correct period to solve a problem if not, I
want to try to solve the problem for myself



But I shout my mouth, sorry Andreas ;)



2008/8/12 Andreas Jung <[EMAIL PROTECTED]>



*sigh*

I wished that both exploits were reported to the Zope bugtracker in
order to work on solutions before making the exploits public.


Right:  we would just like time to investigate the problem so that we
can announce the problem and the workaround / hotfix / new releases
simultaneously.  Two weeks would be longer than I would expect that
process to take.


Next time, I'll post the report to the tracker and mark it private.

I really didn't have any intention of making your work harder than
it already is - I must admit that I wouldn't have thought of the
issue being that important.

OTOH, I do think that the PythonScript product will need some
more security audit, esp. since the restricted environment
safety belt checks are no longer being maintained in the Python
interpreter code and will likely go away completely for
Python 3.x.

It may be better to remove the PythonScript product altogether and
instead use ExternalMethods.


My conclusion after almost 9 years with Zope: PythonScripts and trusted
code was a good and nice feature in the "early days" of Zope. The future
is clearly trusted code in all its flavors. RestrictedPython, 
through-the-web editing (ZMI) and stuff like ZClasses should die - however 
they must remain until the end of time - for the sake of compatibility.


Andreas

pgpRyfw8zm2hY.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg 
On 2008-08-12 18:04, Tres Seaver wrote:
> Garito wrote:
>> The same question again and again
> 
>> As a Zope user I prefer to know as soon as possible if Zope has security
>> problems like those
> 
>> Perhaps the correct way will be to send the problem to the zope people and 2
>> weeks later then make it public
> 
>> I think 2 weeks is a very correct period to solve a problem if not, I want
>> to try to solve the problem for myself
> 
>> But I shout my mouth, sorry Andreas ;)
> 
>> 2008/8/12 Andreas Jung <[EMAIL PROTECTED]>
> 
>>> *sigh*
>>>
>>> I wished that both exploits were reported to the Zope bugtracker in order
>>> to work on solutions before making the exploits public.
> 
> Right:  we would just like time to investigate the problem so that we
> can announce the problem and the workaround / hotfix / new releases
> simultaneously.  Two weeks would be longer than I would expect that
> process to take.

Next time, I'll post the report to the tracker and mark it private.

I really didn't have any intention of making your work harder than
it already is - I must admit that I wouldn't have thought of the
issue being that important.

OTOH, I do think that the PythonScript product will need some
more security audit, esp. since the restricted environment
safety belt checks are no longer being maintained in the Python
interpreter code and will likely go away completely for
Python 3.x.

It may be better to remove the PythonScript product altogether and
instead use ExternalMethods.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 12 2008)
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


 Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! 


eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Maurits van Rees 
Maurits van Rees, on 2008-08-12:
> That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz

Oh, that tarball contains a .svn directory...


I took the liberty of committing a change to the text of the raised
ValueError to make it a proper sentence.  Old:

  SystemExit can not raised with a PythonScript

new:

  SystemExit can not be raised within a PythonScript


-- 
Maurits van Rees | http://maurits.vanrees.org/
Work | http://zestsoftware.nl/
"This is your day, don't let them take it away." [Barlow Girl]

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Maurits van Rees 
Andreas Jung, on 2008-08-12:
>>> After rough test: it seems to work for Zope trunk, 2.10 and 2.11
>>> but has a failure for Zope 2.8.
>>
>> I forgot to mention that the hotfix also seems to work for Zope 2.9.
>> (third-party confirmations are highly appreciated).
>
> Update: the hotfix although works for Zope 2.8 (tested with
> a running Zope instance - however the testrunner does not seem
> to import Hotfix though the included tests under 2.8 aren't
> found/executed).

In Zope 2.8, when I place the Hotfix in the Products dir of the
instance, the two tests pass when I run the tests like this:

  bin/zopectl test --dir=Products/Hotfix_20080812/

That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz

I tested on Zope 2.8, 2.9, 2.10, 2.11.  All with python 2.4.  Without
the hotfix "raise SystemExit" crashed Zope.  I could not confirm the
other problem; that just gave me a LookupError.  With the hotfix in
the Products dir of the instance, the crash did not occur and the
tests passed.

Marvelous!  Thanks Andreas!

-- 
Maurits van Rees | http://maurits.vanrees.org/
Work | http://zestsoftware.nl/
"This is your day, don't let them take it away." [Barlow Girl]

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Tres Seaver 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Garito wrote:
> The same question again and again
> 
> As a Zope user I prefer to know as soon as possible if Zope has security
> problems like those
> 
> Perhaps the correct way will be to send the problem to the zope people and 2
> weeks later then make it public
> 
> I think 2 weeks is a very correct period to solve a problem if not, I want
> to try to solve the problem for myself
> 
> But I shout my mouth, sorry Andreas ;)
> 
> 2008/8/12 Andreas Jung <[EMAIL PROTECTED]>
> 
>> *sigh*
>>
>> I wished that both exploits were reported to the Zope bugtracker in order
>> to work on solutions before making the exploits public.

Right:  we would just like time to investigate the problem so that we
can announce the problem and the workaround / hotfix / new releases
simultaneously.  Two weeks would be longer than I would expect that
process to take.


Tres.
- --
===
Tres Seaver  +1 540-429-0999  [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"http://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIobSh+gerLs4ltQ4RAor1AJ94e+J6HcSYQbYTNM0x+FhGHiUxygCeMk5N
De3Ub0slW6p+DKJh3dRG+a8=
=pA6g
-END PGP SIGNATURE-

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 



--On 12. August 2008 17:31:06 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:




--On 12. August 2008 17:19:54 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:



I created a preliminary hotfix



After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.


I forgot to mention that the hotfix also seems to work for Zope 2.9.
(third-party confirmations are highly appreciated).


Update: the hotfix although works for Zope 2.8 (tested with
a running Zope instance - however the testrunner does not seem
to import Hotfix though the included tests under 2.8 aren't
found/executed).

Andreas

pgp1cX6EzjDex.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 



--On 12. August 2008 17:19:54 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:



I created a preliminary hotfix



After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.


I forgot to mention that the hotfix also seems to work for Zope 2.9.
(third-party confirmations are highly appreciated).

Andreas

pgpUIHwG0ZSe7.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Philipp von Weitershausen 
Thanks a lot for taking care of these issues, Andreas!



Andreas Jung wrote:
> 
> 
> --On 12. August 2008 16:05:47 +0200 Andreas Jung 
> <[EMAIL PROTECTED]> wrote:
> 
>>
>>
>> --On 12. August 2008 14:16:44 +0200 Andreas Jung 
>> <[EMAIL PROTECTED]> wrote:
>>
>>> *sigh*
>>>
>>> I wished that both exploits were reported to the Zope bugtracker in 
>>> order
>>> to work on solutions before making the exploits public.
>>>
>>>
>>> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" 
>>> <[EMAIL PROTECTED]>
>>> wrote:
>>>
 Hello,
>>>
>>>
>>>

 1. Attack:

 Put this into a "Script (Python)" object and run it:

 return 'kaboom'.encode('test.testall')

 This results in a denial-of-service, since Zope will hang
 running the Python test suite.

 The reason for this is a problem in the way the encoding search
 function works in Python 2.4. This was changed in 2.5 to no longer
 allow searching for codecs outside the encodings package.
>>>
>>> That's pretty obscure behavior of Python 2.4...anyway.
>>
>> The followup for this issue is also on Launchpad including a possible
>> solution:
>>
>> 
>>
>> The patches/monkey patches for both issues need review and testing.
>>
>> I am now working on a security advisory.
>>
>> For the hotfixes and testing I need definitely help since I am the road
>> for the rest of the week and pretty busy and limited network 
>> connectivity.
>>
>>
> 
> I created a preliminary hotfix
> 
> 
> 
> After rough test: it seems to work for Zope trunk, 2.10 and 2.11
> but has a failure for Zope 2.8.
> 
> That's all I can do for now - please test and improve the hotfix
> if needed.
> 
> Thanks,
> Andreas
> 
> 
> 
> 
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 



--On 12. August 2008 16:05:47 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:




--On 12. August 2008 14:16:44 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:


*sigh*

I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.


--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]>
wrote:


Hello,






1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.


That's pretty obscure behavior of Python 2.4...anyway.


The followup for this issue is also on Launchpad including a possible
solution:



The patches/monkey patches for both issues need review and testing.

I am now working on a security advisory.

For the hotfixes and testing I need definitely help since I am the road
for the rest of the week and pretty busy and limited network connectivity.




I created a preliminary hotfix



After rough test: it seems to work for Zope trunk, 2.10 and 2.11
but has a failure for Zope 2.8.

That's all I can do for now - please test and improve the hotfix
if needed.

Thanks,
Andreas



pgpp8qS4848ZB.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 



--On 12. August 2008 14:16:44 +0200 Andreas Jung <[EMAIL PROTECTED]> wrote:


*sigh*

I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.


--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]>
wrote:


Hello,






1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.


That's pretty obscure behavior of Python 2.4...anyway.


The followup for this issue is also on Launchpad including a possible
solution:



The patches/monkey patches for both issues need review and testing.

I am now working on a security advisory.

For the hotfixes and testing I need definitely help since I am the road for 
the rest of the week and pretty busy and limited network connectivity.


Andreas





pgpZl9vm2qKh3.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Garito 
The same question again and again

As a Zope user I prefer to know as soon as possible if Zope has security
problems like those

Perhaps the correct way will be to send the problem to the zope people and 2
weeks later then make it public

I think 2 weeks is a very correct period to solve a problem if not, I want
to try to solve the problem for myself

But I shout my mouth, sorry Andreas ;)

2008/8/12 Andreas Jung <[EMAIL PROTECTED]>

> *sigh*
>
> I wished that both exploits were reported to the Zope bugtracker in order
> to work on solutions before making the exploits public.
>
>
> --On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]>
> wrote:
>
>  Hello,
>>
>
>
>
>
>> 1. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> return 'kaboom'.encode('test.testall')
>>
>> This results in a denial-of-service, since Zope will hang
>> running the Python test suite.
>>
>> The reason for this is a problem in the way the encoding search
>> function works in Python 2.4. This was changed in 2.5 to no longer
>> allow searching for codecs outside the encodings package.
>>
>
> That's pretty obscure behavior of Python 2.4...anyway.
>
>
>
>>
>> 2. Attack:
>>
>> Put this into a "Script (Python)" object and run it:
>>
>> raise SystemExit
>>
>> This shuts down Zope.
>>
>> The Python Script environment should obviously catch such exceptions
>> and not let them propagate up the call stack.
>>
>>
> See the followup on
>
> 
>
> There is a patch available that solves the problem.
>
> Andreas
>
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>
>


-- 
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Page Template help

2008-08-12 Thread Garito 
Yeah, Mustaha!
Sometimes I think I'm a little stupid, jejejeje, I have in front of my nose
but I don't see it

I was solved the problem adding a y: type expression and then subclass the
PythonExpr with the __init__ method modified to change the expression

Too much difficult to do the job in an acceptable way

BUT!!!

If you go to usr/lib/zope/lib/python/zope/tales/tales.py and change
the 592 and 593:

591else:
592type = "standard"
593expr = expression

to

else:
if expression.find('${') > -1:
type = "python"
expr = "path(path('string:%s'))" % expression
else:
type = "standard"
expr = expression

then you could use expressions like this

path/to/render/${with/some/variable}/and/the/rest/of/the/path

I think it's an acceptable change to the code for the job it does
I don't know if Zope people will introduce this change but I think if not
they will be wrong

But they are absolute free to do what they want to do, don't misunderstand
me, please

2008/8/12 mustapha <[EMAIL PROTECTED]>

>
> I'm not sure I get what you want to do.
>
> It is not the page template that decides about the expression but the
> engine as Philpp explained before.
>
> anyway, I think you are looking for the "compile" method of the
> ExpressionEngine class (look in zope/tales/tales.py). It's there where
> the expressions are parsed.
>
> HTH
>
> Garito wrote:
> > Yes, it's ok but I can save n variable definitions with 4 lines of code
> > in 1 point
> > Seems quite interesting for me
> >
> > Could someone point me were the page template decides if the expression
> > is a standard, string, python, etc one, please? ;)
> >
> > 2008/8/11 Philipp von Weitershausen
> > <[EMAIL PROTECTED]
> > >
> >
> > Garito wrote:
> >  > Considere this case:
> >  >
> >  > I have the sking value in the variable at args/Yanged/Skin
> >  >
> >  > How can I do the equivalent to
> >  >
> >  >
> >
> args/Yanged/raiz/Skins/${args/Yanged/Skin}/arbolYanged.css/absolute_url
> >  >
> >  > ?
> >  >
> >  > In the python way it will be:
> >  >
> >  > path(path('string:' +
> >  >
> >
> 'args/Yanged/raiz/Skins/${args/Yanged/Skin}/arbolYanged.css/absolute_url'))
> >  >
> >  > That's returns the expected value but I can't see how to do with
> your
> >  > propossed way
> >
> >
> >  >tal:attributes="href file/absolute_url">
> >
> > ___
> > Zope maillist  -  Zope@zope.org
> > 
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
> >
> >
> >
> >
> > --
> > Mis Cosas
> > http://blogs.sistes.net/Garito
> > Zope Smart Manager
> > http://blogs.sistes.net/Garito/670
> >
> >
> > 
> >
> > ___
> > Zope maillist  -  Zope@zope.org
> > http://mail.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://mail.zope.org/mailman/listinfo/zope-announce
> >  http://mail.zope.org/mailman/listinfo/zope-dev )
>
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>



-- 
Mis Cosas
http://blogs.sistes.net/Garito
Zope Smart Manager
http://blogs.sistes.net/Garito/670
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread Andreas Jung 

*sigh*

I wished that both exploits were reported to the Zope bugtracker in order
to work on solutions before making the exploits public.


--On 12. August 2008 13:41:04 +0200 "M.-A. Lemburg" <[EMAIL PROTECTED]> wrote:


Hello,






1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.


That's pretty obscure behavior of Python 2.4...anyway.





2. Attack:

Put this into a "Script (Python)" object and run it:

raise SystemExit

This shuts down Zope.

The Python Script environment should obviously catch such exceptions
and not let them propagate up the call stack.



See the followup on



There is a patch available that solves the problem.

Andreas



pgp7UjRBJXvnl.pgp
Description: PGP signature
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg 
Sorry about the posting. I should have known better not to use a public
mailing list for these sort of posts.

Apologies,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 12 2008)
 >>> Python/Zope Consulting and Support ...http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


 Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! 


eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Script (Python) insecure ?

2008-08-12 Thread M.-A. Lemburg 
Hello,

after Chris Withers lightning talk at EPC 2008 I had a closer look
at the implementation of Python Scripts in Zope 2.11.

While I have not yet been able to break out of the restricted
environment without help from installed products, there are a few
denial-of-service attacks which can easily be deployed on sites
allowing adding Python Scripts to a user folder:

1. Attack:

Put this into a "Script (Python)" object and run it:

return 'kaboom'.encode('test.testall')

This results in a denial-of-service, since Zope will hang
running the Python test suite.

The reason for this is a problem in the way the encoding search
function works in Python 2.4. This was changed in 2.5 to no longer
allow searching for codecs outside the encodings package.


2. Attack:

Put this into a "Script (Python)" object and run it:

raise SystemExit

This shuts down Zope.

The Python Script environment should obviously catch such exceptions
and not let them propagate up the call stack.


I found the second attack rather surprising, as it doesn't require
deep knowledge about Python's interna.

Regards,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Aug 12 2008)
 >>> Python/Zope Consulting and Support ...http://www.egenix.com/
 >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


 Try mxODBC.Zope.DA for Windows,Linux,Solaris,MacOSX for free ! 


eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Page Template help

2008-08-12 Thread mustapha 

I'm not sure I get what you want to do.

It is not the page template that decides about the expression but the 
engine as Philpp explained before.

anyway, I think you are looking for the "compile" method of the 
ExpressionEngine class (look in zope/tales/tales.py). It's there where 
the expressions are parsed.

HTH

Garito wrote:
> Yes, it's ok but I can save n variable definitions with 4 lines of code 
> in 1 point
> Seems quite interesting for me
> 
> Could someone point me were the page template decides if the expression 
> is a standard, string, python, etc one, please? ;)
> 
> 2008/8/11 Philipp von Weitershausen 
> <[EMAIL PROTECTED] 
> >
> 
> Garito wrote:
>  > Considere this case:
>  >
>  > I have the sking value in the variable at args/Yanged/Skin
>  >
>  > How can I do the equivalent to
>  >
>  >
> args/Yanged/raiz/Skins/${args/Yanged/Skin}/arbolYanged.css/absolute_url
>  >
>  > ?
>  >
>  > In the python way it will be:
>  >
>  > path(path('string:' +
>  >
> 
> 'args/Yanged/raiz/Skins/${args/Yanged/Skin}/arbolYanged.css/absolute_url'))
>  >
>  > That's returns the expected value but I can't see how to do with your
>  > propossed way
> 
> 
> tal:attributes="href file/absolute_url">
> 
> ___
> Zope maillist  -  Zope@zope.org
> 
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
> 
> 
> 
> 
> -- 
> Mis Cosas
> http://blogs.sistes.net/Garito
> Zope Smart Manager
> http://blogs.sistes.net/Garito/670
> 
> 
> 
> 
> ___
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )