Re: [Zope-dev] Python 2.0
On Fri, 21 Jul 2000 16:29:23 +0100, Toby Dickenson [EMAIL PROTECTED] wrote: This problem goes away if I don't compile python with garbage collection support. I guess I shouldn't be suprised. Is anyone else using Zope with python 2.0? (on NT, fwiw) I am occasionally seeing protection faults as Zope starts up. When it happens, the fault is repeatable until I truncate data.fs. There may be some correlation to changing a help file (Zope's new help system will reindex its help files at startup if any have changed). Annoyingly, the it doesnt happen with a debugging build. Is anyone else seeing this? Or not seeing this? Toby Dickenson [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) Toby Dickenson [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Security Strangeness
Johan Carlsson wrote: First, you can't delegate the permissionto add and delete user except by assigning the user the role "manager". IMHO this is to limiting. Second, if you give a user the permission to Change Persmissions, that user can change permissions that she doesn't have the right to manage in the first place. In that way she can upgrade here permissions. That's no good. This is a little inflexible isn't it? Chuck it in the collector I guess... :S cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] System error
Hi, I have a problem on deleting a folder. I have made a product, which has some bugs. After i have added it to a Folder named test i can't open the Folder and a can't delete the Folder test because a System Error occurs. The following Error message occurs: !-- Traceback (innermost last): File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 214, in publish_module File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 179, in publish File /usr/share/zope/lib/python/Zope/__init__.py, line 202, in zpublisher_exception_hook (Object: ElementWithAttributes) File /usr/lib/python1.5/site-packages/ZPublisher/Publish.py, line 151, in publish File /usr/share/zope/lib/python/Products/SiteAccess/ChangeBehaviors.py, line 227, in traverse File /usr/lib/python1.5/site-packages/ZPublisher/BaseRequest.py, line 502, in old_validation File /usr/share/zope/lib/python/ZODB/Connection.py, line 396, in setstate SystemError: Failed to import class ImplicitAcquirerWrapper from module Acquisition -- Who can help to delete this Folder. mfg as ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] mxODBC, ExtensionClass.Missing and Results puzzle???
I've compiled up a mxODBC DA for use under windows so that multi-threaded odbc drivers can be me used in a multi-threaded way. This works good so far except for one aspect. NULL values are being returned as "None" objects. This seems reasonable but it is not how ZODBC returns results. It will return a NULL as a "Missing" object (whatever that is?). I can't find any documentation to find out what this object is or means. My biggest problem is that the UserDB product doesn't like None objects being return for passwords. It seemed to handle the Missing objects fine. To add to the mystery I noticed that the result object returned by an sql method connected to first ZODBC and then ZmxODBC was of two different types. ZmxODBC was returning a ZRDB.Results object. ZODBC was returning a ZRDB.RDB.DatabaseResults object. The latter is apparently a "Class for reading RDB files" but as this is the only documentation I can find I have no idea how it differs from the ZRDB.Results class or rather why ZODBC returns it and thus has NULL's replaced Missing objects. Can anyone shed any light on any of this? Dylan Jay mailto:[EMAIL PROTECTED] Avaya Communication Tel: +61 2 9886-8961 Level 5, 15 Talavera Road FAX: +61 2 9352 9224 Nth Ryde NSW 2113 Mobile:+61 409 606 171 AUSTRALIA ICQ: 520341 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Old broken product...
After a modification of the python source code, my product remains broken with the same error... No modification seems to be made to the line which leads to the error. Does somebody know why and how to cope with this ? ___ Vendez tout... aux enchères - http://www.caraplazza.com
Re: [Zope-dev] Incorrect Padding?
Chris Withers wrote: Does anyone know what this means? The page views fine for me and this is the first error of this type I've seen since we launched the archives. I wonder what WebWhacker is doing to cause this? Well... you can get an incorect padding error like this: import binascii binascii.a2b_base64('a ') Traceback (innermost last): File "stdin", line 1, in ? binascii.Error: Incorrect padding You can also get by adding arbitrary non-space characters to the end of a basic authentication string. Here's the line that'll be causing the problem. (Zope 2.2final, lib/python/AccessControl/User.py line 441) name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string. Maybe log the auth argument and re-whack your site. (Warning... this is certainly a nasty security hole. Be sure to get rid of the logging afterwards.) -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Steve Alexander wrote: My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string. Yuk, that sounds like a Zope bug. Collector time with patch? A judicious string.strip should solve the problem, surely? Maybe log the auth argument and re-whack your site. (Warning... this is certainly a nasty security hole. Be sure to get rid of the logging afterwards.) I didn't whack my site, I just got mailed the error... Okay, own up, who tried to WebWhack the list archives?! ;-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Chris Withers wrote: Steve Alexander wrote: My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string. Yuk, that sounds like a Zope bug. Collector time with patch? A judicious string.strip should solve the problem, surely? from base64 import decodestring from string import * auth="Basic" tuple(split(decodestring(split(auth)[-1]), ':', 1)) Traceback (innermost last): File "stdin", line 1, in ? File "/usr//lib/python1.5/base64.py", line 46, in decodestring decode(f, g) File "/usr//lib/python1.5/base64.py", line 32, in decode s = binascii.a2b_base64(line) binascii.Error: Incorrect padding The problem is in the expression "split(auth)[-1]". If the auth string contains no space but at least one character, then split(auth)[-1] == split(auth)[0]. Perhaps what we should do is change this (lib/python/AccessControl/User.py, line 438) # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) to this: # Only do basic authentication if lower(auth[:6])!='basic ' and len(auth)6: return None name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) or even: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(auth[6:]), ':', 1)) (Need to check the last one with the RFC -- are you allowed anything else other than "basic blarglebase64usernamepassword" ? ) Maybe log the auth argument and re-whack your site. (Warning... this is certainly a nasty security hole. Be sure to get rid of the logging afterwards.) I didn't whack my site, I just got mailed the error... Well... try whacking yourself and see what the whacker actually sends -- we're just guessing until then. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Chris Withers wrote: Steve Alexander wrote: My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string. Yuk, that sounds like a Zope bug. Collector time with patch? A judicious string.strip should solve the problem, surely? PS: A string.upper wouldn't go amiss either, then earlier versions of Mozilla that send an incorrectly capitalised 'Basic' might also be allowed to authenticate with Zope :-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Python 2.0
On Mon, 24 Jul 2000, Toby Dickenson wrote: On Fri, 21 Jul 2000 16:29:23 +0100, Toby Dickenson [EMAIL PROTECTED] wrote: This problem goes away if I don't compile python with garbage collection support. I guess I shouldn't be suprised. Python 2.0? Garbage collection? Huh? What? Last I checked, Python 1.5.2 was the newest stable release, with 1.6 being under development. 1.7 due out by the end of the year, and Python 3000 being a redesign from the ground up. Is there a 2.0 somewhere that I don't know about? Toby Dickenson [EMAIL PROTECTED] --Jeff --- Jeff K. Hoffman 704.849.0731 x108 Chief Technology Officer mailto:[EMAIL PROTECTED] Going Virtual, L.L.C. http://www.goingv.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Python 2.0
On Tue, 25 Jul 2000, Anthony Baxter wrote: What was once known as 1.6 is now called 2.0. There's probably more at the pythonlabs website. ah, here we go http://www.pythonlabs.com/tech/python2.html Note that the release is currently held up for some reasons to do with the python team all leaving CNRI and going to BeOpen - sounds like some sort of licensing or copyright ugliness. The python development's moved to sourceforge in the meantime, so you can track it in CVS if you feel so inclined. Ahh hah. I had looked on python.org and found nothing, but this explains why. That clears it up. Thanks. Anthony --Jeff --- Jeff K. Hoffman 704.849.0731 x108 Chief Technology Officer mailto:[EMAIL PROTECTED] Going Virtual, L.L.C. http://www.goingv.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ts_regex.gsub() doesn't work with compiled expressions
I'm trying to do the following: import ts_regex Z=ts_regex.compile('\(^\|[^%]\)%Z') ts_regex.gsub(Z, '\\1BAR', '%Z foo %Z') Traceback (innermost last): File "stdin", line 1, in ? File "/usr/local/zope/SiteBox/lib/python/ts_regex.py", line 109, in __call__ try: return apply(self._f, args, kw) File "/usr//lib/python1.5/regsub.py", line 38, in gsub regs = prog.regs AttributeError: regs This works just fine if you don't compile the regex first: import ts_regex ts_regex.gsub('\(^\|[^%]\)%Z', '\\1BAR', '%Z foo %Z') 'BAR foo BAR' The problem is that a ts_regex.compile instances do not expose the attribute "regs" that the method gsub of lib/python1.5/regsub.py requires. I don't know the details of what is thread-safe and what is not in the regsub module, so I won't hazard a patch here. Perhaps overriding __getattr__ to return "regs" safely would help? I don't know. I can also get it to work if I pass in the unwrapped compiled regular expression: ts_regex.gsub(Z._r, '\\1BAR', '%Z foo %Z') 'BAR foo BAR' Is doing this in Zope threadsafe? -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DateTime formatting with strftime: patch
This is now in the Collector, as bug number 1457. http://classic.zope.org:8080/Collector/1457/view Incidentally, http://classic.zope.org:8080/Collector/1409/view is another patch to the same problem. However, that patch doesn't address the root of the problem, which is that DateTime instances are associated with a particular timezone, and users expect all formatting to occur with respect to that particular timezone. The fix in collector #1409 makes all strftime formatting happen in the local timezone of the Zope installation, not the timezone given in the particular DateTime instance being formatted. Steve Alexander wrote: Here's a working patch to make formatting of a DateTime instance work as generally expected, when you use dtml-var "_.DateTime()" fmt="%d %G %z" or whatever. It could be made more efficient by compiling the two regex (regexes? regexen? regular expressions :-) ) into class attributes. There's a problem with this optimisation -- see my other posting to zope-dev today. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Chris Withers wrote: Chris Withers wrote: Steve Alexander wrote: My guess is that the argument "auth" passed to validate() has some trailing characters. Either that, or WebWhacker passed just "Basic " as an auth string. Yuk, that sounds like a Zope bug. Collector time with patch? A judicious string.strip should solve the problem, surely? PS: A string.upper wouldn't go amiss either, then earlier versions of Mozilla that send an incorrectly capitalised 'Basic' might also be allowed to authenticate with Zope :-) It is already there in 2.2final: if lower(auth[:6])!='basic ': ^ RFC 1945 has it as "Basic". http://www.freesoft.org/CIE/RFC/1945/67.htm I also checked, and this version of the patch *should* work: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". However, it still doesn't work if the client sends something bogus -- the tuple will only be one item long, rather than two. If you want to be protected against bogosity in basic authentication, you can stick with the original line, and put it inside a try-except block: # Only do basic authentication if lower(auth[:6])!='basic ': return None try: name,password=\ tuple(split(decodestring(split(auth)[-1]), ':', 1)) except: # Bogus basic authentication. Perhaps log something? return None -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Steve Alexander wrote: snip excellent patches Well, I think Brian Lloyd'd have to make the call... Nice work though, 2 for 2 on the day, that's pretty good going, are DC paying you yet? ;-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Wiki apps other than ZWiki 0.6.1
Perhaps more suited to this list than Zope, so I'll ask again... I've been happily adding ManagedMode functionality to ZWiki 0.6.1 but wonder what other Wiki-on/in-Zope technologies there are that I should consider working with. I'm looking for cataloging, graphics upload, differencing, rename and delete and don't really want to have to work on them myself if these have been done or are soon to be done. Searching on 'Wiki' appears to be useless, since the word crops up in so many contexts, hence my appeal for information. Thank you, Geoff Gardiner ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ZODB : mystery
Hi, I've a question : How could I store and retrieve object in the ZoDB ? I know that I must create a persistent object. thanks in advance . ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.2.0 and SiteAccess 2.0.0b2 -- doesn't work?-- FIXED
I'm sorry I didn't post back to the list like I said I would. The issue I was having with Zope 2.2.0 and SiteAccess 2.0.0b2 has been resolved. In short, it was user error. Being new to Zope I didn't realize that the superuser account has special status. I thought it was just the name of the default user that gets created when you install Zope. When I created the SiteRoot object I was using the superuser account, and Zope was complaining that the superuser cannot be the owner of the object. SiteAccess 2.0.0b3 fixes the error reporting so that it doesn't cover up the error with a generic "this folder already has a SiteRoot object." Once I saw the real error I easily resolved it by creating a new account and using that to add the SiteRoot object. Thanks again to those who helped me out. I am learning more and more about Zope, slowly but surely. -- Michael Monsen | Due to lack of interest, [EMAIL PROTECTED] |next week has been cancelled. http://www.xmission.com/~phydoux | ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZODB : mystery
Every time you create a Zope object, such as a DTML document or Folder, it gets stored in the ZODB. Perhaps you could be a little more specific in your aims? cheers, Chris [EMAIL PROTECTED] wrote: Hi, I've a question : How could I store and retrieve object in the ZoDB ? I know that I must create a persistent object. thanks in advance . ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.2.0 and SiteAccess 2.0.0b2 -- doesn't work?-- FIXED
Michael Monsen wrote: When I created the SiteRoot object I was using the superuser account, I thought this wasn't supposed to be possible in the first place?! Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Request for amplification on new Product permissions API.
Are you calling: Globals.default__class_init__(MyBasketClass) on your Basket class? This is (poorly documented but) necessary for permissions declared in __ac_permissions__ to be correctly initialized. Should I have this in Squishdot too? Chris Yes - basically any class that defines *or inherits from a class that defines* permissions should do this to make sure that the permissions along the inheritance heirarchy are cobbled together correctly at class initialization time. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope bug (w/ patch): hard coded Unix separator in special_dtml.py
Yves-Eric Martin wrote: Does that sound right to you? If no one disagrees, I'll fill a bug report w/ patch in the Collector. Sounds great, is it in the collector yet? Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] getting request variables values
Steve Alexander wrote: def __getitem__/__getattr__ from HTTPRequest.py: """Get a variable value Return a value for the required variable name. The value will be looked up from one of the request data categories. The search order is environment variables, other variables, form data, and then cookies. Doesn't mention URL parameters on there, does it ;-) I wonder where they figure in? The code certainly doesn't stick exactly to its docstring. The "other" dictionary is seached first, then URLx where x is a number. Then "environ" is searched, but *only* if the key begins with 'HTTP_' or is in the following list: This looks really messy. I bet it tallies up with what's in the Zope DTML Reference near the REQUEST description in more ways than with the docstring... Shane wrote: I think the issue is that environ may include the Zope process environment variables, such as PATH, LD_LIBRARY_PATH, CVSROOT, USER, etc. Publish.publish_module() appears to pass in os.environ . That's just a quick analysis, though. Hurm, there's still the order issue. And that fact that they're visible if you do dtml-var REQUEST. Wow, should this go in dev.zope.org or the Collector (phrased for collector, but that can change): The handling of variable in REQUEST is a bit messy. The following should all behave the same, in terms of the order variables are searched and what variables are included: - dtml-var REQUEST - __getitem__ in HTTPRequest.py - variables that appear in the DTML/other type of method namespace Should the patch to HTTPRequest.py below be included into Zope? """ #" + environ=self.environ + if environ.has_key(key) and (not hide_key(key)): + return environ[key] other=self.other if other.has_key(key): if key=='REQUEST': return self return other[key] if key[:1]=='U' and URLmatch(key) = 0: path = self._script + self._steps n = len(path) - atoi(key[3:]) if n 0: raise KeyError, key URL=join([other['SERVER_URL']] + path[:n], '/') other[key]=URL self._urls = self._urls + (key,) return URL - if isCGI_NAME(key) or key[:5] == 'HTTP_': - environ=self.environ - if environ.has_key(key) and (not hide_key(key)): - return environ[key] - return '' ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Request for amplification on new Product permissions API.
Brian Lloyd wrote: Yes - basically any class that defines *or inherits from a class that defines* permissions should do this to make sure that the permissions along the inheritance heirarchy are cobbled together correctly at class initialization time. I'm sure someone said recently that this got called autmoatically for you if you forgot... Hmm, Squishdot's worked fine without it AFAIK up until now. Is this only really required in 2.2, or even then not entirely? cheers, Chris PS: It's not ZClass basses or something else that require it? Just cheking I'm not being too dense... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 05:22:25PM +0100, Steve Alexander wrote: Chris Withers wrote: A string.upper wouldn't go amiss either, then earlier versions of Mozilla that send an incorrectly capitalised 'Basic' might also be allowed to authenticate with Zope :-) Heh, and allow Mozilla to gain the bug again? Zope wan't the only server Moz broke on though.. It is already there in 2.2final: if lower(auth[:6])!='basic ': ^ RFC 1945 has it as "Basic". http://www.freesoft.org/CIE/RFC/1945/67.htm RFC 1945 says one paragraph before that that the header should be matched case-insensitively. That was what the Moz bug was all about. I also checked, and this version of the patch *should* work: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". The split already takes out the whitespace. No need to strip. However, it still doesn't work if the client sends something bogus -- the tuple will only be one item long, rather than two. That is a bug in the client then. If you want to be protected against bogosity in basic authentication, you can stick with the original line, and put it inside a try-except block: # Only do basic authentication if lower(auth[:6])!='basic ': return None try: name,password=\ tuple(split(decodestring(split(auth)[-1]), ':', 1)) except: # Bogus basic authentication. Perhaps log something? return None This would mask bugs in clients. Not a good idea. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Martijn Pieters wrote: RFC 1945 says one paragraph before that that the header should be matched case-insensitively. That was what the Moz bug was all about. Thanks for the clarification. # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". The split already takes out the whitespace. No need to strip. There's a base64.decodestring() between the strip and the split. Leading and/or trailing spaces make base64 strings invalid. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 08:36:26PM +0200, Martijn Pieters wrote: I also checked, and this version of the patch *should* work: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". Oops. You took out the strip. But IIRC, base64 does a strip as well. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Martijn Pieters wrote: Oops. You took out the strip. But IIRC, base64 does a strip as well. Not according to the original error which started this thread :( Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Steve Alexander wrote: Martijn Pieters wrote: Oops. You took out the strip. But IIRC, base64 does a strip as well. So it does! from base64 import * s = encodestring('foo') decodestring(s) 'foo' decodestring(s+' ') 'foo' decodestring(' '+s) 'foo' So what was causing the original error then? Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Martijn Pieters wrote: So what was causing the original error then? Buggy client? If so, surely Zope should just return an Unauthorized error rather than exposing its internals?! If you're a server and the client is buggy, tell it so, but don't look like you just screwed up really badly ;-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 07:57:00PM +0100, Chris Withers wrote: Martijn Pieters wrote: So what was causing the original error then? Buggy client? If so, surely Zope should just return an Unauthorized error rather than exposing its internals?! If you're a server and the client is buggy, tell it so, but don't look like you just screwed up really badly ;-) Oops. Speed read fumble. We partly agree, and this is tricky. Unauthorised is wrong, it should return a Bad Request (or whatever the correct HTTP error is in this case). File a patch! =) -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 07:57:00PM +0100, Chris Withers wrote: Martijn Pieters wrote: So what was causing the original error then? Buggy client? If so, surely Zope should just return an Unauthorized error rather than exposing its internals?! If you're a server and the client is buggy, tell it so, but don't look like you just screwed up really badly ;-) I disagree. The client used is bad, this kind of error doesn't show often and serves a purpose here; fix the client! -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Chris Withers wrote: So what was causing the original error then? string.split('basic')[-1] was returning 'basic'. base64.decodestring('basic') causes an "Incorrect padding" error. base64.decodestring('basic ') causes an "Incorrect padding" error too. Martijn Pieters wrote: We partly agree, and this is tricky. Unauthorised is wrong, it should return a Bad Request (or whatever the correct HTTP error is in this case). File a patch! =) I've attached a patch to lib/python/AccessControl/User.py. If there are no suggestions of improvements, or complaints :-) I'll stick it into the Collector. I looked over the RFC, and Bad Request seems to be the best response code. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net *** lib/python/AccessControl/User.py.original Mon Jul 24 20:31:40 2000 --- lib/python/AccessControl/User.pyMon Jul 24 20:51:33 2000 *** *** 438,444 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) # Check for superuser super=self._super --- 438,451 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! try: ! name,password=\ ! tuple(split(decodestring(split(auth)[-1]), ':', 1)) ! except: # not a proper basic auth string ! request.response.setStatus(400) ! raise 'InternalError', request.response._error_html( ! "Internal Error", ! "Zope could not understand the Basic Authentication supplied.") # Check for superuser super=self._super
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 08:56:54PM +0100, Steve Alexander wrote: I've attached a patch to lib/python/AccessControl/User.py. If there are no suggestions of improvements, or complaints :-) I'll stick it into the Collector. I looked over the RFC, and Bad Request seems to be the best response code. Agreed. *** lib/python/AccessControl/User.py.original Mon Jul 24 20:31:40 2000 --- lib/python/AccessControl/User.py Mon Jul 24 20:51:33 2000 *** *** 438,444 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) # Check for superuser super=self._super --- 438,451 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! try: ! name,password=\ ! tuple(split(decodestring(split(auth)[-1]), ':', 1)) ! except: # not a proper basic auth string ! request.response.setStatus(400) ! raise 'InternalError', request.response._error_html( ! "Internal Error", ! "Zope could not understand the Basic Authentication supplied.") # Check for superuser super=self._super Would it be a good idea to add the header? And let's make that a less generic except clause, we don't want to mask Zope bugs =) -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Steve Alexander wrote: Chris Withers wrote: So what was causing the original error then? string.split('basic')[-1] was returning 'basic'. base64.decodestring('basic') causes an "Incorrect padding" error. base64.decodestring('basic ') causes an "Incorrect padding" error too. Martijn Pieters wrote: We partly agree, and this is tricky. Unauthorised is wrong, it should return a Bad Request (or whatever the correct HTTP error is in this case). File a patch! =) I've attached a patch to lib/python/AccessControl/User.py. If there are no suggestions of improvements, or complaints :-) I'll stick it into the Collector. Mention in the collector that the padding that's incorrect doesn't refer to spaces, but to equal signs. The ASCII representation of base64 is in sets of 4 characters, which translate to 3 bytes. If the ASCII data is of a length that doesn't evenly divide by 4, the string is supposed to end with equal signs as "padding". If it doesn't, you'll get the "incorrect padding" error. Incidentally, try the following: base64.decodestring('basic===') This products gibberish, but it does work. :-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
Martijn Pieters wrote: On Mon, Jul 24, 2000 at 08:56:54PM +0100, Steve Alexander wrote: I've attached a patch to lib/python/AccessControl/User.py. If there are no suggestions of improvements, or complaints :-) I'll stick it into the Collector. I looked over the RFC, and Bad Request seems to be the best response code. Agreed. *** lib/python/AccessControl/User.py.original Mon Jul 24 20:31:40 2000 --- lib/python/AccessControl/User.py Mon Jul 24 20:51:33 2000 *** *** 438,444 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) # Check for superuser super=self._super --- 438,451 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! try: ! name,password=\ ! tuple(split(decodestring(split(auth)[-1]), ':', 1)) ! except: # not a proper basic auth string ! request.response.setStatus(400) ! raise 'InternalError', request.response._error_html( ! "Internal Error", ! "Zope could not understand the Basic Authentication supplied.") # Check for superuser super=self._super Would it be a good idea to add the header? I don't quite follow. And let's make that a less generic except clause, we don't want to mask Zope bugs =) Ok. I was thinking of just using HTTPResponse.badRequestError(). However, it has a "name" argument, and I don't quite understand how it is meant to be used. def badRequestError(self,name): self.setStatus(400) if regex.match('^[A-Z_0-9]+$',name) = 0: raise 'InternalError', self._error_html( "Internal Error", "Sorry, an internal error occurred in this Zope resource.") raise 'BadRequest',self._error_html( "Invalid request", "The parameter, em%s/em, " % name + "was omitted from the request.p" + "Make sure to specify all required parameters, " + "and try the request again." ) So, any of name="FOO", name="123", name="FOO123", name="" produces an internal error; name="foo", name="Foo", name="foo123" produces a bad request. What's the rationale? Should I just use this, then? request.response.badRequestError(name="0") # internal error -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Online Docs
I've been playing around with the ACS a bit lately. Its got one feature which i would desparately like to see in zope. namely that every ACS server is self documenting with regards to all of its methods. to see it in an action check out http://www.arsdigita.com/doc/procs this documentation is generated on startup of the server for all available functions which make a call to a function proc_doc. i looked at the existing python code auto documentors and the one i saw that looked the best was http://www.lfw.org/python (at the bottom of the page) for documenting live objects. it could use some modifiying to generate zope objects which would get cataloged and also to include a functions/modules source. does anyone think that this would be a good resource to have in zope. searchable docs for developers on their servers of all the Zope Internal Python Code and the Code for all the installed Products? Kapil ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope bug (w/ patch): hard coded Unix separator in special_dtml.py
On Mon, 24 Jul 2000 19:23:56 +0100 Chris Withers [EMAIL PROTECTED] wrote: Sounds great, is it in the collector yet? Yes, I filled a bug report yesterday. It's under number 1453. -- Yves-Eric Martin Digital Garage Inc. [EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )