The Buildbot has detected a failed build of Zope trunk 2.4 Linux zc-buildbot.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6544
Blamelist: andreasjung,benji,benji_york,jim
BUILD FAILED: failed test
sincerely,
-The Buildbot
The Buildbot has detected a failed build of Zope trunk 2.4 Windows 2000
zc-bbwin6.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6544
Blamelist: andreasjung,benji,benji_york,jim
BUILD FAILED: failed compile
sincerely,
-The Buildbot
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think we should do a 2.9.4 release to incorporate the recent hot
fix.
This is easy for me to say,
The Buildbot has detected a failed build of Zope trunk 2.4 Windows 2000
zc-bbwin6.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6545
Blamelist: andreasjung
BUILD FAILED: failed compile
sincerely,
-The Buildbot
The Buildbot has detected a failed build of Zope trunk 2.4 Linux zc-buildbot.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6547
Blamelist: andreasjung
BUILD FAILED: failed test
sincerely,
-The Buildbot
___
The Buildbot has detected a failed build of Zope trunk 2.4 Windows 2000
zc-bbwin6.
Buildbot URL: http://buildbot.zope.org/
Build Reason: changes
Build Source Stamp: 6547
Blamelist: andreasjung
BUILD FAILED: failed compile
sincerely,
-The Buildbot
According to Andreas Jung:
Tres' patch is looking in fine to me. I don't see a need right now
for dropping reST with having file inclusing *removed*.
Has anyone written tests for Tres' patch? Apparently no one wrote
adequate tests for the last hot fix, which helped put us in this
--On 9. Juli 2006 12:29:24 +0200 Willi Langenberger [EMAIL PROTECTED]
wrote:
@Tres: what is the reason to keep the 'raw' code in docutils? I am in
favor to remove it and replace it with a NotImplementedError exception
(same as for the the 'include' code). The related tests (for
On Jul 8, 2006, at 3:06 PM, Andreas Jung wrote:
No, it is not. I haven't worked on the hotfix...so why would it be
up to me
write tests?
It's not. The person who *did* write the hot-fix didn't want the
feature in the first place. Tres stepped up and helped us in an
emergency. I imagine
On Jul 8, 2006, at 3:27 PM, Andreas Jung wrote:
--On 8. Juli 2006 15:05:21 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think this applies here as well.
1. ZClasses are not a security threat. reST is. That's a huge
difference.
Being a security thread or not ...how will you prove that
On Jul 8, 2006, at 3:34 PM, Tres Seaver wrote:
...
The monkeypatch in the hotfix *might* be defeated that way, sure. The
updated version of docutils I checked in will *not*, because it
disables
file inclusion inside the source of the dangerous handlers.
Another possible fix would be to
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of a
more
careful security review of docutils: none of us was aware of the
'raw'
directive as an attack vector for file inclusion until you
mentioned it
the other day.
On Jul 8, 2006, at 5:38 PM, Tino Wildenhain wrote:
Jim Fulton wrote:
...
You mean auditing. Testing would not help imho. Testing
only checks if expected behavior still works. And nobody
expects the spanish inquisiton *wink* ;)
You can test that trying to do fil-inclusion fails.
For
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jim Fulton wrote:
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of a more
careful security review of docutils: none of us was aware of the 'raw'
directive as an attack vector
On Jul 9, 2006, at 9:43 AM, Tres Seaver wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jim Fulton wrote:
On Jul 8, 2006, at 3:40 PM, Tres Seaver wrote:
...
I'll note that tests wouldn't have helped here in the absence of
a more
careful security review of docutils: none of us was
--On 9. Juli 2006 10:10:53 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
That doesn't change the fact that when we found out about the threat
last fall, we didn't check all of the places in Zope where we were using
reST. You might say that this was because the person who did the hot
fix didn't
On Jul 9, 2006, at 10:47 AM, Andreas Jung wrote:
...
But that
just illustrates that our current approach of everyone is
responsible
for everything or, cynically, no one is responsible for anything
isn't working.
Isn't that the approach how Zope is working since years?
Yes, but Zope is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think we should do a 2.9.4
--On 9. Juli 2006 15:22:18 -0400 Tres Seaver [EMAIL PROTECTED] wrote:
I've written some tests (checked in on the trunk). They test the 'raw'
and 'include' directives
Great! Maybe we can add a similar set for the 'fmt=restructured-text'
in DTML.
Jup, but I won't the able to this over the
Tres Seaver wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andreas Jung wrote:
--On 8. Juli 2006 07:45:01 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
On Jul 8, 2006, at 1:11 AM, Andreas Jung wrote:
--On 7. Juli 2006 11:03:06 -0400 Jim Fulton [EMAIL PROTECTED] wrote:
I think we
20 matches
Mail list logo