[Zope-dev] SECURITY ALERT and Zope hotfix release [2001-03-08]
Hello all - An issue has come to our attention (thanks to Randy Kern) that necessitates a Zope hotfix. Hotfix products can be installed to incorporate modifications to Zope at runtime without requiring an immediate installation upgrade. Hotfix products are installed just as you would install any other Zope product. This hotfix (Hotfix_2001-03-08)addresses an important security issue that affects Zope version 2.3.0 and the current 2.3.1 beta 1 release. The issue involves an error in the 'aq_inContextOf' method of objects that support acquisition. A recent change to the access validation machinery made this bug begin to affect security restrictions. The bug, with the change to validation, made it possible to access Zope objects via acquisition that a user would not otherwise have access to. This issue could allow users with enough internal knowledge of Zope to perform actions higher in the object hierarchy than they should be able to. We *highly* recommend that any Zope site running Zope 2.3.0 final or any alpha or beta version of 2.3.0 or 2.3.1 beta 1 have this hotfix product installed to mitigate the issue. Zope 2.3.1 beta 2 will contain a fix for the issue, at which time the hotfix can be removed. Zope versions prior to 2.3.0 are not affected by this issue. - http://www.zope.org/Products/Zope/Hotfix_2001-03-08/README.txt - http://www.zope.org/Products/Zope/Hotfix_2001-03-08/Hotfix_2001-03-08.tgz Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope/Win2K/Crash ...
Anyone else using Zope on Win2K? We have recently installed Zope as a production server on Win2K (SP4) and everything was fine for the first couple of weeks. We started a little monitoring program which hits Zope every 5 seconds, and noticed Zope started to crash intermitently. In the NT Event Log I find: "The description for Event ID ( 3 ) in Source ( PythonService ) could not be found. It contains the following insertion string(s): http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Saving attributes for a DataSkin
>
> Hi Johan,
>
>Could you give a more complete traceback? It's hard to tell
> from just the error type..
>
> thanks!
> -steve
Of course, here it comes.
Regards,
Johan
Traceback (innermost last):
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
222, in publish_module
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
187, in publish
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/Zope/__init__.py, line 221, in
zpublisher_exception_hook
(Object: ProviderContainer)
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
171, in publish
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/ZPublisher/mapply.py, line 160,
in mapply
(Object: changeUser)
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/ZPublisher/Publish.py, line
112, in call_object
(Object: changeUser)
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/Shared/DC/Scripts/Bindings.py,
line 324, in __call__
(Object: changeUser)
File /bigshare/zopeservers/Zope-2.3.0-src/lib/python/Shared/DC/Scripts/Bindings.py,
line 353, in _bindAndExec
(Object: changeUser)
File
/bigshare/zopeservers/Zope-2.3.0-src/lib/python/Products/PythonScripts/PythonScript.py,
line 330, in _exec
(Object: changeUser)
(Info: ({'script': , 'context': , 'container': , 'self':
, 'traverse_subpath': []}, ('a', 'a', 'a', 'a', 'a'),
{}, None))
File Script (Python), line 3, in changeUser
File
/bigshare/zopeservers/Zope-2.3.0-src/lib/python/Products/PythonScripts/zbytecodehacks/VSExec.py,
line 429, in __setattr__
TypeError: (see above)
> > "JC" == Johan Carlsson <[EMAIL PROTECTED]> writes:
>
> JC> Hi, I'm having some trouble figuring out how to write a method
> JC> and a skinscript to save attributes of a DataSkin.
>
> JC> Specialist is the LoginManager.
>
> JC> DataSkin is:
>
> JC> class EasyGroupUser(LoginUser): ... def getRoles(self): ...
> JC> def getDomains(self): ... def authenticate(self, password,
> JC> request): ...
>
> JC> SkinScripts are: WITH QUERY sql_getUserFor(username=self.id)
> JC> COMPUTE username, password, challenge_question,
> JC> challenge_answer, admin_email
>
> JC> WHEN OBJECT CHANGED STORE password, challenge_question,
> JC> challenge_answer, admin_email USING sql_changeUser(
> JC> username=self.id, newpassword=password,
> JC> challenge_question=challenge_question,
> JC> challenge_answer=challenge_answer, admin_email=admin_email,
> JC> oldpassword=OLD['oldpassword'] ) SAVING oldpassword = password
>
> JC> Current Attribute Handling: admin_email Getters: SkinScript,
> JC> line 1 Setters: SkinScript, line 10 Deleters: SkinScript, line
> JC> 10 challenge_answer Getters: SkinScript, line 1 Setters:
> JC> SkinScript, line 10 Deleters: SkinScript, line 10
> JC> challenge_question Getters: SkinScript, line 1 Setters:
> JC> SkinScript, line 10 Deleters: SkinScript, line 10 password
> JC> Getters: SkinScript, line 1 Setters: SkinScript, line 10
> JC> Deleters: SkinScript, line 10
>
>
> JC> The getter works alright, but when trying to set attributes
> JC> (that supposedly would be handle by the setter) with the
> JC> following Script (Python) I get the following error:
>
> JC> ## Script (Python) "changeUser" ##bind container=container
> JC> ##bind context=context ##bind namespace=self ##bind
> JC> script=script ##bind subpath=traverse_subpath
> JC>
>##parameters=username,password,challenge_question,challenge_answer,admin_email
> JC> ##title= ## user = context.getItem(username)
> JC> user.password=password
> JC> user.challenge_question=challenge_question
> JC> user.challenge_answer=challenge_answer
> JC> user.admin_email=admin_email
>
> JC> ERROR MESSAGE: Error Type: TypeError Error Value:
> JC> attribute-less object (assign or del)
>
> JC> So what am I doing wrong here? Any clues appreciated.
> JC> TIA/Johan Carlsson
>
>
>
> JC> ___ Zope-Dev
> JC> maillist - [EMAIL PROTECTED]
> JC> http://lists.zope.org/mailman/listinfo/zope-dev ** No cross
> JC> posts or HTML encoding! ** (Related lists -
> JC> http://lists.zope.org/mailman/listinfo/zope-announce
> JC> http://lists.zope.org/mailman/listinfo/zope )
>
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SAP DB <--> ZODB ?
Hi steve .. I have already a tiny version of ZsapdbDA which basically works. I had contact to the maintainer of the python-module for sapdb. and he handed out a nearly python DBI 2.0 compatible interface. there might be some problems with the python-module and linux/python/threads .. i didn't test this issue very much. The Zsapdbda is basically working .. there are some issues concernig Type-Conversion and Exception-handling has to be refined. ZsapdbDA is a remake of ZMySQLDA/DCOracle. I have uploaded this product as an 0.0.1-alpha-preview .. you know what i mean :) http://www.zope.org/Members/jack-e/ZsapdbDA So feel free to use this for further development .. i don't have any time right now. hope this helps cu Ulrich Eck - Original Message - From: "Steve Alexander" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 09, 2001 4:20 PM Subject: [Zope-dev] SAP DB <--> ZODB ? > I just heard that the SAP DB has gone Free and Open Source. > > > > SAP DB is an open, SQL-based, relational database management system that >provides high availability and performance scaling from small to very > large >implementations. > > In addition, SAP DB goes beyond relational database technology by offering > object orientation as well as support for managing unstructured data. It > supports open standards including SQL, JDBC and ODBC; access from Perl and > Python; and HTTP-based services with HTML or XML content. SAP DB is platform > independent, so users can deploy it for a wide array of projects. > >Since 1994, the SAP e-Business Solution is available on SAP DB > technology. > Today SAP DB is being used by nearly 800 customers. > > On October 5, 2000, at Linux World SAP DB was announced to be made > available > as Open Source software using the GNU General Public License for the > database > kernel and the GNU Lesser General Public License for clients and programming > interfaces. > > > http://freshmeat.net/projects/sapdb/ > > I'd never heard of SAP DB before, although I've heard of SAP. > > This looks as if it would be good for a ZODB storage. > > -- > Steve Alexander > Software Engineer > Cat-Box limited > > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] TransWarp preview release (AOP tools only)
"Phillip J. Eby" wrote: > > At 10:52 AM 3/6/01 -0500, Shane Hathaway wrote: > >Perhaps... but as I see it, pickling the aspect weaving information into > >each object makes it harder to vary the aspect weaving after objects > >have been created. > > That's not what I said. *Aspect objects* can be pickled. You're talking > about *instances* of *classes* created by weaving the aspects, and that's a > whole different kettle of fish. Check out the "AOPTutorial" in the Wiki, > which sorts out the differences between the three. I understand. What I'm saying is that for this application, sys.modules will not contain the information necessary for reassembling the aspects. So you have to either put that information in the pickled objects or in a centralized pickled object. I thought you had suggested putting the information in the pickled objects and we agree that is probably not the right approach. Instead the objects will contain a reference to a centralized pickled object that can supply the weaving information. I know I'm not using perfect terminology. > >I'm also planning outside the ZODB. The goal is to design apps using > >pure and simple ZODB and not be required to do anything special to make > >it work later with other forms of storage. Other databases will not be > >able to store aspect information. > > Again, this is a confusion of instance and class. Aspect information is > *not* per-instance - heck, even *classes* in TW don't know what Aspects > they were woven from. The aspects are like flour and eggs that go into > making a cake (class or set of classes). Once it's baked, the ingredients > are no longer visible. :) ZODB creates two pickles for every object: the class of the object and the object state. One could conceivably store the aspect weaving information in that first pickle. (Normally the first pickle is very simple, containing only the name of the module and the name of the class, but it can in fact be as complex as you want.) In fact, depending on how you coded TW, that's just what ZODB might try to do and it might even work. But for this application I wouldn't want it to do that. BTW in Python, classes are really just instances of class classes (or type classes, or class types, or class class classes etc...) ;-) > By the way, I have never tried to promote AOP as even being relevant to the > CMF. :) I know. I'm justing trying to "weave" your work in to Zope. > AOP is mostly about *reuse*, so any single run-time environment > (such as CMF or even Zope as a whole) will not see much benefit that you > can't get through delegation. ZPatterns, for another example, is one > gigantic web of delegation internally. AOP is of more relevance to the > developer who has a piece of code they would like to use for the CMF, *and* > for a command line tool, *and* a testing tool, *and* And thus they > need to be able to assemble their code into a variety of useful > configurations. I see. I'll try to keep that in the back of my mind. > After Michel's presentation the other day, I understand a lot better how > Zope will address this issue with "adapters", and that will help *a lot* > with a lot of things. However, people may also have other environments > besides Zope to use their code in, or other configuration choices to be > addressed that are not exposed to Zope (such as the database schema), and > having AOP available will presumably be helpful to them. Agreed (though I've been working on a delegation-capable storage...) :-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] SAP DB <--> ZODB ?
I just heard that the SAP DB has gone Free and Open Source. SAP DB is an open, SQL-based, relational database management system that provides high availability and performance scaling from small to very large implementations. In addition, SAP DB goes beyond relational database technology by offering object orientation as well as support for managing unstructured data. It supports open standards including SQL, JDBC and ODBC; access from Perl and Python; and HTTP-based services with HTML or XML content. SAP DB is platform independent, so users can deploy it for a wide array of projects. Since 1994, the SAP e-Business Solution is available on SAP DB technology. Today SAP DB is being used by nearly 800 customers. On October 5, 2000, at Linux World SAP DB was announced to be made available as Open Source software using the GNU General Public License for the database kernel and the GNU Lesser General Public License for clients and programming interfaces. http://freshmeat.net/projects/sapdb/ I'd never heard of SAP DB before, although I've heard of SAP. This looks as if it would be good for a ZODB storage. -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
