Re: [Zope] Zope and security vulnerability: 20121106
We are running Zope 2.13.10. (So this may not be too helpful.) We are testing
the hotfix. This is the output in our event log.
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied setHeader patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied allow_module patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied
get_request_var_or_attr patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply gtbn
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
membership_tool
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
queryCatalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
uid_catalog
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
renameObjectsByPaths
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
at_download
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
safe_html
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied python_scripts
patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied ftp patch
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Applied atat patch
2012-11-14T10:16:49 WARNING Products.PloneHotfix20121106 Could not apply
random_string
2012-11-14T10:16:49 INFO Products.PloneHotfix20121106 Hotfix installed
Without knowing how to specifically break things I can't say if it is good to
be running this or not. I'm sure a new Zope2 release will include these
updates?
-Chris
Christopher N. Deckard | Lead Web Systems Developer
c...@ecn.purdue.edu|Engineering Computer Network
http://eng.purdue.edu/ECN/| Purdue University
zlib.decompress('x\234K\316Kq((-J)M\325KM)\005\000)"\005w') ---
On Nov 13, 2012, at 4:30 AM, Jens Vagelpohl wrote:
>
> On Nov 13, 2012, at 10:16 , Jürgen Herrmann
> wrote:
>> I successfully applied these hotfixes to Zope 2.13 versions
>> without any problems. What puzzles me though is why was there
>> no announcement for theses fixes here on zope ml? Or are these
>> fixes not critical for pure Zope2 users? Or are these all fixed
>> in the latest version of Zope2?
>
> There was no announcement here because those patches were prepared by Plone
> developers without our knowledge and announced without our knowledge. The
> Zope developers know as much about these patches (meaning little to nothing)
> as any other Zope user.
>
> jens
>
>
> ___
> Zope maillist - Zope@zope.org
> https://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> https://mail.zope.org/mailman/listinfo/zope-announce
> https://mail.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] path of a fileupload instance
to my knowledge, for security reason no modern browser submits the path anymore. If you need the path, you have to create your own file uploader or use a tool like uploadify (http://www.uploadify.com) I *think* javascript gets you access to the full path. robert On 11/14/2012 08:35 AM, Kees de Brabander wrote: I was using IE and filename is just the file name, no directory information. So I will have to take another approach. Does a FileUpload instance have any other attributes than filename and header? On Nov 13, 2012, at 6:11 PM, Andreas Jung wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is subject to browser. All browser - except IE (afaik) - only submit the filename without directory information. - -aj Kees de Brabander wrote: Correct, but the filename attribute contains just the filename, not the path of the directory where it was uploaded from? cb On Nov 13, 2012, at 11:04 AM, Andreas Jung wrote: REQUEST.yourfile.filename. The FileUpload instance has a 'filename' attributes. -aj Kees de Brabander wrote: Hiya I have a form with a field for a FileUpload object, which works ok. However, in my application I want to capture the path of that file, because I want to open still other files that I know by name from that very same directory. Any idea how to do that? The REQUEST simple contains the FileUpload instance. ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) - -- ZOPYX Limited | Python | Zope | Plone | MongoDB Hundskapfklinge 33| Consulting & Development D-72074 Tübingen | Electronic Publishing Solutions www.zopyx.com | Scalable Web Solutions - -- Produce & Publish - www.produce-and-publish.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJQon9AAAoJEADcfz7u4AZjSwsLv0Q6WXixh/gYddZObYa1O3F4 EmhCoFjfAwgFtT8WkWpTkP4l0myjOUqPdOhJvvBxPIAtqTDPu6V6YEXM5nK1loE4 Shjz3feKRsxP784arefzD1CpRiN/YQhMSn+ZYMyy/IpHV1Ypy7vsF1HJSaCY8sqm yaItArafhVrCrrSwGxOCaUNG83w6m0X0MlEg/phCmW3Lkz4lvwcgehEuiqHGYnrE TwpAiBnS4ucjdgR+Zkf9sSmxKkjUiBuYenHgsHZiXwDxYaXQra1NHeCrQha1DASx EliQuhN9Qz/A+4ZiAHj9yMwrVDEeK4oCwAxBuSsIxhO48Bj9mjXm33iSkyi0L7o7 1I0DQqCKl/1Rh6gFUmBtztzAvcz/vtB5tfjZ71u9zdQARd9zX2YKkdRQnA/l+tIG WgwbsR/Ium2xyDp9Piqfw0rGlZzLZrp3ekbAHVwdAHR7hqGUh6nXotbJVgCOjTDz PorJJ9CA/DZ+SWHQcQXyC8wtImS6zAI= =aN3X -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
