Re: [Zope] [Zope-dev] Security announcement update
This should be clarified too: You should, however, make sure that you are running either Zope 2.10.13 or Zope 2.11.8 and PluggableAuthService 1.5.5, 1.6.5 or 1.7.5 Why must PluggableAuthService (+ its dependencies) even be installed? -N On 6/28/2011 3:30 PM, Sascha Welter wrote: (Tue, Jun 28, 2011 at 12:57:02PM +0100) Laurence Rowe wrote/schrieb/egrapse: This is an update on today's security hotfix release. Thank you for the update, most helpful! The fix will be released at 15:00 UTC today, Tuesday 28th June, 2011 (11:00am US EDT.) Updated versions of Zope 2 containing the security fix will be released at the same time. For details on which versions of Zope and Plone are affected, please see: http://plone.org/products/plone/security/advisories/20110622 It says Zope 2.10 and 2.11 users who have not installed PloneHotfix20110720 are not affected - can I conclude from that, that Zope 2.9 would not be affected either? Regards, Sascha ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] How to setStatus(301) for zException Redirect
Using Zope 2.10.8 I'd like to let an access rule trigger a 301 'moved permanently' redirect. I created an external method to raise the exception, which almost does the trick except for the fact that it generates a 302 Moved Temporarily status code. from zExceptions import Redirect def myDispatcher(self, url): raise Redirect(url) Tried request.setStatus(301) both in my access rule and the external method, but this effectively disables the redirect. Also tried modifying my external method similar to request.response.redirect() as follows. Still no luck. from zExceptions import Redirect def myDispatcher(self, url, status, lock): raise Redirect(url, status, lock) I finally traced it to HTTPResponse.py starting around line 763-790 the 302 status seems to be hardcoded. How would I go about changing this? I'd rather not hack directly in the Zope code... self.setStatus(t) if self.status = 300 and self.status 400: if isinstance(v, str) and absuri_match(v) is not None: if self.status == 300: self.setStatus(302) self.setHeader('location', v) tb = None # just one path covered return self elif isinstance(v, Redirect): # death to string exceptions! if self.status == 300: self.setStatus(302) self.setHeader('location', v.args[0]) self.setBody('') tb = None return self else: try: l, b = v if (isinstance(l, str) and absuri_match(l) is not None): if self.status == 300: self.setStatus(302) self.setHeader('location', l) self.setBody(b) tb = None # one more patch covered return self except: pass # tb is not cleared in this case Norbert ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: losing random session data
Tres Seaver wrote: Note as well that using mutable Python primitives (dicts, lists) is tricky, as they don't notify *their* container (the persistent SessionDataObject) when they are mutatated. If you are using them, rather than some persistent variant, then you need to rebind them into the container. E.g.: mapping = SESSION.get('mapping') if mapping is None: mapping = {} mapping['foo'] = REQUEST.form('foo') SESSION['mapping'] = mapping # triggers persistence Thanks Tres Maciej! This does the trick: order = [] new_order={} prev_order=req.SESSION.get('order') if prev_order != None: for orders in prev_order: for item in orders.keys(): new_order[item]=orders[item] order.append(new_order) new_order ={} for val in req.form.keys(): new_order[val]=req.form[val] order.append(new_order) req.SESSION['order'] = order With the expected output: order [{'foo': '1', 'bar': 'a'}, {'foo': '2', 'bar': 'b'}, {'foo': '7', 'bar': 'e'}, {'foo': '6', 'bar': 'z'}, {'foo': '1', 'bar': 'a'}] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: losing random session data
Maciej Wisniowski wrote: This seems to be hardcore ;) I mean that it should not be necessary to do such rewrite of all keys and values for dictionaries or lists taken from session. I never had to do something like that... Isn't it working without these assignments? Just: order=req.SESSION.get('order', []) # if there is no 'order' in session # you'll simply get empty list here new_order = {} for val in req.form.keys(): new_order[val]=req.form[val] order.append(new_order) req.SESSION['order'] = order BTW. req.SESSION.set(..., ...) method is also persistence aware (according to zope book) I discovered this too, after posting. You are absolutely correct! Thanks again, Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] losing random session data
In Zope 2.7.5-final, python 2.3.5, freebsd6 with Transient Object Container settings: Data timeout: 20 Timeout resolution: 20 Maximum subobjects: 1000 and a python script that does this: req = context.REQUEST prev_order=(req.SESSION.get('order')) if prev_order == None: order=[] else: order = prev_order order.append(req.form) req.SESSION.set('order',order) my data ends up looking like this: order [{}, {}, {'foo': '1', 'bar': 'a'}, {}, {'foo': '2', 'bar': 'b'}, {'foo': '6', 'bar': 'z'}, {'foo': '1', 'bar': 'a'}] I've seen http://mail.zope.org/pipermail/zope-dev/2006-July/027890.html and am aware that related bug existed prior to 2.7.1. I've used sessions without problems before, this is the first time I attempt to store variables in containers. What am I doing wrong? Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Error Value: 'Set' object has no attribute 'count'
kjcsb wrote: I am getting an error message when Zope is trying to evaluate the following: elif string.count(product_info['product']['options'],'lookup') == 1: Wild guess: Zwarehouse? Have you tried that mailing list? http://www.zwarehouse.org/wiki/MailList Traceback (innermost last): * Module ZPublisher.Publish, line 101, in publish * Module ZPublisher.mapply, line 88, in mapply * Module ZPublisher.Publish, line 39, in call_object * Module Products.Skins.FSPythonScript, line 108, in __call__ * Module Shared.DC.Scripts.Bindings, line 306, in __call__ * Module Shared.DC.Scripts.Bindings, line 343, in _bindAndExec * Module Products.Skins.FSPythonScript, line 163, in _exec * Module None, line 35, in product_info FSPythonScript at /my_site/zwarehouse/ZWarehouse/product_info Line 35 * Module Products.ZWarehouse.ZWarehouseBase, line 1076, in fullProductInformation * Module Products.ZWarehouse.ZWarehouseBase, line 957, in define_tax_for_product * Module string, line 165, in count AttributeError: 'Set' object has no attribute 'count' Can anybody suggest an alternative to Zwarehouse? Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Problem generating Transfer-Encoding: chunked
Hi All, I'm in the process of writing a python script that goes through a long list in batches and outputs its progress to HTML. (Zope 2.7.5 behind Apache) The result is not what I expected: instead of returning the results in small chunks, Zope (Apache, gremlins?) rewrites the output and returns much larger sections of data. If I remove the Transfer-Encoding header and replace it with a fixed Content-Length, I can see that my script outputs its chunks as intended... Can anyone offer suggestions? Norbert [Code below:] RESPONSE=context.REQUEST.RESPONSE RESPONSE.setHeader('Content-Type', 'text/html') RESPONSE.setHeader('Transfer-Encoding', 'chunked') RESPONSE.write( str(hex(len(htmlHeader)))[2:]+'\n'+htmlHeader+'\n' ) def doBatch(start, end): -- run through list and output -- RESPONSE.write(str(hex(len(htmlContent)))[2:]+'\n'+htmlContent+'\n') while myBatch = numBatches and start -1: start = doBatch(start,end) end = start + batchSize myBatch +=1 RESPONSE.write(str(hex(len(htmlFooter)))[2:]+'\n'+htmlFooter+'\n\n') [incorrect HTML output snippet:] HTTP/1.1 200 OK Date: Fri, 15 Sep 2006 22:37:22 GMT Server: Zope/(Zope 2.7.5-final, python 2.3.5, freebsd4) ZServer/1.1 Content-Type: text/html X-Cache: MISS from xxx.xxx.xxx Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Transfer-Encoding: chunked db8 html head titleProgress Report.../title /head body h2Batch 0: 0 - 25/h2 -- expected new chunk p[data]/p h2Batch 1: 26 - 51/h2-- expected new chunk p[data]/p h2Batch 2: 51 - 76/h2-- expected new chunk p[data]/p 45e h2Batch 3: 76 - 101/h2 -- why does chunk start here? p[data]/p hr -- expected new chunk h2DONE!/h2 /body /html 0 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Chris Withers wrote: michael nt milne wrote: Over and out on this one from me You promise? ;-) Chris I think Tino made the key suggestion earlier on: log out of the ZMI, close your browser, restart it, clear the cache, clear any saved passwords, try to view the page in question and - if your settings are correct - get prompted to log by whichever authentication mechanism you chose to implement. If you cancel out and are able to view the page, you made a configuration mistake somewhere. Find it, fix it - and try again. This has become one of the more hilarious threads I've read in a long time. I suggest submitting Michael's name to alt.usenet.kooks for consideration as KotM. Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )