Re: [Zope-CMF] [Warning] Danger from Zope caching, especially the CMF Caching Policy Manager
Previously Dieter Maurer wrote: > The description indicates in what direction the CPM should get fixed: > > * If the response already provides cache control, the CPM should > not override it, as it is likely that the specific information > available to the response generating process is more trustworthy > then the general CPM policies. If we want to make CPM smarted wouldn't it make more sense to have it select the most restrictive set of caching settings? If I have static content that can be cached forever but include a portlet with private information which changes every minute I do not want to get the caching settings for the static content. Wichert. -- Wichert Akkerman <[EMAIL PROTECTED]>It is simple to make things. http://www.wiggy.net/ It is hard to make things simple. ___ Zope-CMF maillist - Zope-CMF@lists.zope.org http://mail.zope.org/mailman/listinfo/zope-cmf See http://collector.zope.org/CMF for bug reports and feature requests
Re: [Zope-CMF] [Warning] Danger from Zope caching, especially the CMF Caching Policy Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17 Dec 2006, at 18:52, Dieter Maurer wrote: The description indicates in what direction the CPM should get fixed: * If the response already provides cache control, the CPM should not override it, as it is likely that the specific information available to the response generating process is more trustworthy then the general CPM policies. This is arguable, especially as it changes the current behaviour. Maybe, it should be controlled by an additional configuration option. I don't know if it is possible to have any sane policy about "what to do if the response already has caching headers". First of all, when should this exception policy trigger? Which headers should tell the CPM that someone else already decided on caching? Secondly, what is the behavior supposed to be? "Do nothing"? "DWIM"? This obviously needs exact specifications and use cases. * The CPM (and Zope's HTTP Cache Manager) must set cache headers only based on the object that generated the (complete) response entity and not based on other objects called during the request (and probably only responsible for part of the entity). As mentioned in my reply to your collector issue, there are fixes on the CMF trunk already and you should look at those to see if they fix your problem. jens -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFhZMRRAx5nvEhZLIRAgp4AJ4xW89Oc5TyTnPbC6rrLC3vSrlS5QCfROEF JovmnmAqrjWjd+cgZC/QqsQ= =1yup -END PGP SIGNATURE- ___ Zope-CMF maillist - Zope-CMF@lists.zope.org http://mail.zope.org/mailman/listinfo/zope-cmf See http://collector.zope.org/CMF for bug reports and feature requests
[Zope-CMF] [Warning] Danger from Zope caching, especially the CMF Caching Policy Manager
Crosspost: 'Reply-To' set to 'zope-cmf'. We nearly escaped a catastrophy: a page with sensitive personal information ended in a shared cache and was delivered to arbitrary people. This happened despite the fact that the template generating the page contained a "response.setHeader('Cache-Control', 'no-cache')" (and related headers for non HTTP/1.1 clients). The analysis quickly revealed broken design in the CMF Caching Policy Manager (CPM) as the cause: * it has applied its general policy depite the fact that the template itself has provided more adequate decisions with respect to caching * the caching policy manager action affects the complete response. Therefore, only the top level object, the object that controls the response content, should influence the CPM decisions. In the concrete case, the primary template did not trigger the CPM but the call of a secondary template responsible only for a tiny part of the response. The same problem also affects Zope's HTMLCacheManager. The description indicates in what direction the CPM should get fixed: * If the response already provides cache control, the CPM should not override it, as it is likely that the specific information available to the response generating process is more trustworthy then the general CPM policies. This is arguable, especially as it changes the current behaviour. Maybe, it should be controlled by an additional configuration option. * The CPM (and Zope's HTTP Cache Manager) must set cache headers only based on the object that generated the (complete) response entity and not based on other objects called during the request (and probably only responsible for part of the entity). -- Dieter ___ Zope-CMF maillist - Zope-CMF@lists.zope.org http://mail.zope.org/mailman/listinfo/zope-cmf See http://collector.zope.org/CMF for bug reports and feature requests
[Zope-CMF] CMF Tests: 8 OK, 1 Failed
Summary of messages to the cmf-tests list. Period Sat Dec 16 12:00:00 2006 UTC to Sun Dec 17 12:00:00 2006 UTC. There were 9 messages: 9 from CMF Unit Tests. Test failures - Subject: FAILED (failures=3) : CMF-trunk Zope-trunk Python-2.4.4 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:55:21 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003550.html Tests passed OK --- Subject: OK : CMF-1.5 Zope-2.7 Python-2.3.6 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:43:21 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003542.html Subject: OK : CMF-1.5 Zope-2.8 Python-2.3.6 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:44:51 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003543.html Subject: OK : CMF-1.5 Zope-2.9 Python-2.4.4 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:46:21 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003544.html Subject: OK : CMF-1.6 Zope-2.8 Python-2.3.6 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:47:51 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003545.html Subject: OK : CMF-1.6 Zope-2.9 Python-2.4.4 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:49:21 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003546.html Subject: OK : CMF-2.0 Zope-2.9 Python-2.4.4 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:50:51 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003547.html Subject: OK : CMF-2.0 Zope-2.10 Python-2.4.4 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:52:21 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003548.html Subject: OK : CMF-trunk Zope-2.10 Python-2.4.4 : Linux From: CMF Unit Tests Date: Sat Dec 16 21:53:51 EST 2006 URL: http://mail.zope.org/pipermail/cmf-tests/2006-December/003549.html ___ Zope-CMF maillist - Zope-CMF@lists.zope.org http://mail.zope.org/mailman/listinfo/zope-cmf See http://collector.zope.org/CMF for bug reports and feature requests
[Zope-CMF] CMF Collector: Open Issues
The following supporters have open issues assigned to them in this collector (http://www.zope.org/Collectors/CMF). Assigned and Open mhammond - "Windows DevelopmentMode penalty in CMFCore.DirectoryView", [Accepted] http://www.zope.org/Collectors/CMF/366 Pending / Deferred Issues - "FSPropertiesObject.py cannot handle multiline input for lines, text attributes", [Deferred] http://www.zope.org/Collectors/CMF/271 - "Can't invalidate skin items in a RAMCacheManager", [Pending] http://www.zope.org/Collectors/CMF/343 - "workflow notify success should be after reindex", [Deferred] http://www.zope.org/Collectors/CMF/389 - "Possible bug when using a BTreeFolder Member folder", [Pending] http://www.zope.org/Collectors/CMF/441 - "Proxy Roles not Working/Applied to Worflow Transition Scripts", [Pending] http://www.zope.org/Collectors/CMF/449 - "safe_html filters some tags which should probably not be filtered", [Pending] http://www.zope.org/Collectors/CMF/452 - "purge_old in runAllImportSteps not working", [Pending] http://www.zope.org/Collectors/CMF/455 - "PUT handling for Events is broken", [Pending] http://www.zope.org/Collectors/CMF/458 Pending / Deferred Features - "Favorite.py: queries and anchors in remote_url", [Pending] http://www.zope.org/Collectors/CMF/26 - "DefaultDublinCore should have Creator property", [Pending] http://www.zope.org/Collectors/CMF/61 - "Document.py: universal newlines", [Pending] http://www.zope.org/Collectors/CMF/174 - "portal_type is undefined in initialization code", [Pending] http://www.zope.org/Collectors/CMF/248 - "CMFTopic Does Not Cache", [Deferred] http://www.zope.org/Collectors/CMF/295 - "Wishlist: a flag that tags the selected action.", [Pending] http://www.zope.org/Collectors/CMF/301 - "CMFDefault should make use of allowCreate()", [Pending] http://www.zope.org/Collectors/CMF/340 - "Nested Skins", [Deferred] http://www.zope.org/Collectors/CMF/377 - "CatalogVariableProvider code + tests", [Pending] http://www.zope.org/Collectors/CMF/378 - "manage_doCustomize() : minor additions", [Pending] http://www.zope.org/Collectors/CMF/382 - "CMF needs View-based TypeInformation", [Pending] http://www.zope.org/Collectors/CMF/437 - "Marker attributes should be deprecated", [Pending] http://www.zope.org/Collectors/CMF/440 ___ Zope-CMF maillist - Zope-CMF@lists.zope.org http://mail.zope.org/mailman/listinfo/zope-cmf See http://collector.zope.org/CMF for bug reports and feature requests