Re: [Zope] [Zope-dev] Security announcement update
This should be clarified too: You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 Why must PluggableAuthService (+ its dependencies) even be installed? -N On 6/28/2011 3:30 PM, Sascha Welter wrote: (Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse: This is an update on today's security hotfix release. Thank you for the update, most helpful! The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011 (11:00am US EDT.) Updated versions of Zope 2 containing the security fix will be released at the same time. For details on which versions of Zope and Plone are affected, please see: http://plone.org/products/plone/security/advisories/20110622 It says Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected - can I conclude from that, that Zope 2.9 would not be affected either? Regards, Sascha ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] How to setStatus(301) for zException Redirect
Using Zope 2.10.8 I'd like to let an access rule trigger a 301 'moved
permanently' redirect.
I created an external method to raise the exception, which almost does the
trick
except for the fact that it generates a 302 Moved Temporarily status code.
from zExceptions import Redirect
def myDispatcher(self, url):
raise Redirect(url)
Tried request.setStatus(301) both in my access rule and the external method,
but
this effectively disables the redirect. Also tried modifying my external method
similar to request.response.redirect() as follows. Still no luck.
from zExceptions import Redirect
def myDispatcher(self, url, status, lock):
raise Redirect(url, status, lock)
I finally traced it to HTTPResponse.py starting around line 763-790 the 302
status seems to be hardcoded. How would I go about changing this? I'd rather
not
hack directly in the Zope code...
self.setStatus(t)
if self.status = 300 and self.status 400:
if isinstance(v, str) and absuri_match(v) is not None:
if self.status == 300:
self.setStatus(302)
self.setHeader('location', v)
tb = None # just one path covered
return self
elif isinstance(v, Redirect): # death to string exceptions!
if self.status == 300:
self.setStatus(302)
self.setHeader('location', v.args[0])
self.setBody('')
tb = None
return self
else:
try:
l, b = v
if (isinstance(l, str)
and absuri_match(l) is not None):
if self.status == 300:
self.setStatus(302)
self.setHeader('location', l)
self.setBody(b)
tb = None # one more patch covered
return self
except:
pass # tb is not cleared in this case
Norbert
___
Zope maillist - Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: losing random session data
Tres Seaver wrote:
Note as well that using mutable Python primitives (dicts, lists) is
tricky, as they don't notify *their* container (the persistent
SessionDataObject) when they are mutatated. If you are using them,
rather than some persistent variant, then you need to rebind them into
the container. E.g.:
mapping = SESSION.get('mapping')
if mapping is None:
mapping = {}
mapping['foo'] = REQUEST.form('foo')
SESSION['mapping'] = mapping # triggers persistence
Thanks Tres Maciej!
This does the trick:
order = []
new_order={}
prev_order=req.SESSION.get('order')
if prev_order != None:
for orders in prev_order:
for item in orders.keys():
new_order[item]=orders[item]
order.append(new_order)
new_order ={}
for val in req.form.keys():
new_order[val]=req.form[val]
order.append(new_order)
req.SESSION['order'] = order
With the expected output:
order [{'foo': '1', 'bar': 'a'}, {'foo': '2', 'bar': 'b'},
{'foo': '7', 'bar': 'e'}, {'foo': '6', 'bar': 'z'}, {'foo': '1', 'bar':
'a'}]
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: losing random session data
Maciej Wisniowski wrote:
This seems to be hardcore ;) I mean that it should not
be necessary to do such rewrite of all keys and values
for dictionaries or lists taken from session.
I never had to do something like that...
Isn't it working without these assignments? Just:
order=req.SESSION.get('order', []) # if there is no 'order' in session
# you'll simply get empty list here
new_order = {}
for val in req.form.keys():
new_order[val]=req.form[val]
order.append(new_order)
req.SESSION['order'] = order
BTW. req.SESSION.set(..., ...) method is also persistence aware
(according to zope book)
I discovered this too, after posting. You are absolutely correct!
Thanks again,
Norbert
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] losing random session data
In Zope 2.7.5-final, python 2.3.5, freebsd6 with Transient Object
Container settings:
Data timeout: 20
Timeout resolution: 20
Maximum subobjects: 1000
and a python script that does this:
req = context.REQUEST
prev_order=(req.SESSION.get('order'))
if prev_order == None:
order=[]
else:
order = prev_order
order.append(req.form)
req.SESSION.set('order',order)
my data ends up looking like this:
order [{}, {}, {'foo': '1', 'bar': 'a'}, {}, {'foo': '2', 'bar': 'b'},
{'foo': '6', 'bar': 'z'}, {'foo': '1', 'bar': 'a'}]
I've seen http://mail.zope.org/pipermail/zope-dev/2006-July/027890.html
and am aware that related bug existed prior to 2.7.1.
I've used sessions without problems before, this is the first time I
attempt to store variables in containers. What am I doing wrong?
Norbert
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Error Value: 'Set' object has no attribute 'count'
kjcsb wrote: I am getting an error message when Zope is trying to evaluate the following: elif string.count(product_info['product']['options'],'lookup') == 1: Wild guess: Zwarehouse? Have you tried that mailing list? http://www.zwarehouse.org/wiki/MailList Traceback (innermost last): * Module ZPublisher.Publish, line 101, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 39, in call_object * Module Products.Skins.FSPythonScript, line 108, in __call__ * Module Shared.DC.Scripts.Bindings, line 306, in __call__ * Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec * Module Products.Skins.FSPythonScript, line 163, in _exec * Module None, line 35, in product_info FSPythonScript at /my_site/zwarehouse/ZWarehouse/product_info Line 35 * Module Products.ZWarehouse.ZWarehouseBase, line 1076, in fullProductInformation * Module Products.ZWarehouse.ZWarehouseBase, line 957, in define_tax_for_product * Module string, line 165, in count AttributeError: 'Set' object has no attribute 'count' Can anybody suggest an alternative to Zwarehouse? Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Problem generating Transfer-Encoding: chunked
Hi All,
I'm in the process of writing a python script that goes through a long
list in batches and outputs its progress to HTML. (Zope 2.7.5 behind Apache)
The result is not what I expected: instead of returning the results in
small chunks, Zope (Apache, gremlins?) rewrites the output and returns
much larger sections of data.
If I remove the Transfer-Encoding header and replace it with a fixed
Content-Length, I can see that my script outputs its chunks as intended...
Can anyone offer suggestions?
Norbert
[Code below:]
RESPONSE=context.REQUEST.RESPONSE
RESPONSE.setHeader('Content-Type', 'text/html')
RESPONSE.setHeader('Transfer-Encoding', 'chunked')
RESPONSE.write( str(hex(len(htmlHeader)))[2:]+'\n'+htmlHeader+'\n' )
def doBatch(start, end):
-- run through list and output --
RESPONSE.write(str(hex(len(htmlContent)))[2:]+'\n'+htmlContent+'\n')
while myBatch = numBatches and start -1:
start = doBatch(start,end)
end = start + batchSize
myBatch +=1
RESPONSE.write(str(hex(len(htmlFooter)))[2:]+'\n'+htmlFooter+'\n\n')
[incorrect HTML output snippet:]
HTTP/1.1 200 OK
Date: Fri, 15 Sep 2006 22:37:22 GMT
Server: Zope/(Zope 2.7.5-final, python 2.3.5, freebsd4) ZServer/1.1
Content-Type: text/html
X-Cache: MISS from xxx.xxx.xxx
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
db8
html
head
titleProgress Report.../title
/head
body
h2Batch 0: 0 - 25/h2 -- expected new chunk
p[data]/p
h2Batch 1: 26 - 51/h2-- expected new chunk
p[data]/p
h2Batch 2: 51 - 76/h2-- expected new chunk
p[data]/p
45e
h2Batch 3: 76 - 101/h2 -- why does chunk start here?
p[data]/p
hr -- expected new chunk
h2DONE!/h2
/body
/html
0
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Chris Withers wrote: michael nt milne wrote: Over and out on this one from me You promise? ;-) Chris I think Tino made the key suggestion earlier on: log out of the ZMI, close your browser, restart it, clear the cache, clear any saved passwords, try to view the page in question and - if your settings are correct - get prompted to log by whichever authentication mechanism you chose to implement. If you cancel out and are able to view the page, you made a configuration mistake somewhere. Find it, fix it - and try again. This has become one of the more hilarious threads I've read in a long time. I suggest submitting Michael's name to alt.usenet.kooks for consideration as KotM. Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
