[Zope-dev] IIS / login bug
There is a bug in IIS[1] which causes cookies to be dropped during a
redirect. The result in the CMF is that a login fails when it is
combined with a redirect, as happens following an attempted access of a
forbidden resource when using the CookieCrumbler.
Now, I'm not too familiar with the pcgi mechanism, or IIS, and not
having my own Windows development machine makes debugging a bit
problematic. So I'd appreciate advice from IIS / pcgi savants (there
must be some, somewhere ;-)
M$ says the workaround is to rename the zope.pcgi script to
nhp-zope.pcgi, which indicates to IIS that it should pass on all HTTP
headers untouched. The problem here is that the ZPublisher defers to
the server to produce some of the relevant HTTP headers, namely the
protocol version / status header ('HTTP/1.1 200 OK'). Without this
header, browsers display all the headers as if they are part of the body.
My solution is to alter the pcgi_publisher.py script so that it passes
the publish_module a ZServerHTTPResponse object - which *will* add all
the relevant server headers [2].
However, altering the pcgi_publisher script seems to have no effect,
whatsoever, on anything.
Should my approach work? Are there better workarounds?
Thanks,
seb
--
References
[1] http://support.microsoft.com/default.aspx?scid=kb;EN-US;q176113
[2] pcgi_publisher.py patch (watch for line wraps)
*** pcgi_publisher.py Thu Sep 7 17:40:07 2000
--- nhp-pcgi_publisher.py Thu Jul 11 09:56:42 2002
***
*** 294,306
### IIS hack to fix broken PATH_INFO
### taken from Mike Fletcher's win_cgi_module_publisher
import string
if env.has_key('SERVER_SOFTWARE') and
string.find(env['SERVER_SOFTWARE'],'Microsoft-IIS') != -1:
script =
filter(None,string.split(string.strip(env['SCRIPT_NAME']),'/'))
path =
filter(None,string.split(string.strip(env['PATH_INFO']),'/'))
env['PATH_INFO'] = string.join(path[len(script):],'/')
!
try:
!
self.publish_module(self.moduleName,stdin=stdin,stdout=stdout,stderr=stderr,environ=env)
except:
self.fatalError(unable to publish module)
--- 294,308
### IIS hack to fix broken PATH_INFO
### taken from Mike Fletcher's win_cgi_module_publisher
import string
+ from ZServer.HTTPResponse import ZServerHTTPResponse
+ iis-nhp-response = None
if env.has_key('SERVER_SOFTWARE') and
string.find(env['SERVER_SOFTWARE'],'Microsoft-IIS') != -1:
script =
filter(None,string.split(string.strip(env['SCRIPT_NAME']),'/'))
path =
filter(None,string.split(string.strip(env['PATH_INFO']),'/'))
env['PATH_INFO'] = string.join(path[len(script):],'/')
! iis-nhp-response = ZServerHTTPResponse(stdout=stdout,
stderr=stderr)
try:
!
self.publish_module(self.moduleName,stdin=stdin,stdout=stdout,stderr=stderr,environ=env,response=iis-nhp-response)
except:
self.fatalError(unable to publish module)
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] IIS / login bug
There is a bug in IIS[1] which causes cookies to be dropped during a redirect. a bug in IIS??? no way...:P Should my approach work? Are there better workarounds? i don't know your situation exactly, but if IIS is not a pressing requirement you can use apache for windows. jens ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
seb bacon wrote: Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository. Are you sure? I get an Unauthorized error (but not until I actually try to upload). Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
Shane Hathaway wrote: seb bacon wrote: Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository. Are you sure? I get an Unauthorized error (but not until I actually try to upload). Shane I'm sure, I've tried it on a few sites. Try this ;-) http://new.zope.org/Examples/FileLibrary seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
seb bacon wrote: Shane Hathaway wrote: seb bacon wrote: Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository. Are you sure? I get an Unauthorized error (but not until I actually try to upload). Shane I'm sure, I've tried it on a few sites. Hmm, it would appear that the Add Documents, Images, and Files permission is enabled for anonymous. It shouldn't be, obviously. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
seb bacon wrote: Shane Hathaway wrote: seb bacon wrote: Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository. Are you sure? I get an Unauthorized error (but not until I actually try to upload). Shane I'm sure, I've tried it on a few sites. Wait a minute, now I see it. The addFile script has the Manager proxy role! (And apparently my Zope is disregarding the proxy roles.) That's wrong. I suggest we remove the proxy roles, replacing the proxy role explanation with the text you can set proxy roles if you want anonymous users to be able to use this script. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] vulnerability in stock Zope
Production sites running a stock Zope are vulnerable to abuse of their server if they have not removed the 'Examples' folder. For example, anyone could use http://notcarefulenough.com/Examples/FileLibrary as a warez repository. Are you sure? I get an Unauthorized error (but not until I actually try to upload). Shane I'm sure, I've tried it on a few sites. Wait a minute, now I see it. The addFile script has the Manager proxy role! (And apparently my Zope is disregarding the proxy roles.) That's wrong. I suggest we remove the proxy roles, replacing the proxy role explanation with the text you can set proxy roles if you want anonymous users to be able to use this script. Don't forget the Message Board application too. Are you fixing this or shall I? seb ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ?determine if x is a string or array in PythonScript
Hi I must be stupid or something, but I can't for the life of me work out a simple way of determining if a variable contains a string or array, in a PythonScript in Zope. I can't import type and or use type() function. isinstance doesn't work because I can't give a type as the second arg. I obviously just can't see the wood for the trees, can anyone help out this silly individual ? Rgds Tim ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ?determine if x is a string or array in PythonScript
Tim Hoffman wrote: Hi I must be stupid or something, but I can't for the life of me work out a simple way of determining if a variable contains a string or array, in a PythonScript in Zope. I can't import type and or use type() function. isinstance doesn't work because I can't give a type as the second arg. Python scripts provide a special function, same_type(), for this purpose. Example: if same_type(s, ''): s = [s] Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ?determine if x is a string or array in PythonScript
On Thu, Jul 11, 2002 at 05:22:48PM +0800, Tim Hoffman wrote: I must be stupid or something, but I can't for the life of me work out a simple way of determining if a variable contains a string or array, in a PythonScript in Zope. I can't import type and or use type() function. isinstance doesn't work because I can't give a type as the second arg. I obviously just can't see the wood for the trees, can anyone help out this silly individual ? Testing for string methods works :) if hasattr(item, 'startswith'): # A String else: # Something else On a similar note you can test for a specific list method. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ?determine if x is a string or array in PythonScript
On Thu, Jul 11, 2002 at 04:10:33PM -0400, Shane Hathaway wrote: Python scripts provide a special function, same_type(), for this purpose. Example: if same_type(s, ''): s = [s] Much better than my hacked-up solution. :p -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ?determine if x is a string or array in PythonScript
Thanks shane I missed that in the doc's, I have to admit I have done some pretty crusty things in the past to try and work it out, like checking for methods etc.. which always struck me as 1, quite possibly incorrect especially if I got a dictionary with an element with the same name as the method. Also I always thought it terribly inelegant. Should have looked in the source ;-) Thanks again T On Fri, 2002-07-12 at 04:10, Shane Hathaway wrote: Tim Hoffman wrote: Hi I must be stupid or something, but I can't for the life of me work out a simple way of determining if a variable contains a string or array, in a PythonScript in Zope. I can't import type and or use type() function. isinstance doesn't work because I can't give a type as the second arg. Python scripts provide a special function, same_type(), for this purpose. Example: if same_type(s, ''): s = [s] Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
