[Zope-dev] passive FTP to Zope with a specified port-range
Hi,
I'm trying to modify the zope ftp-access to specify a port range
within the server selects the ports for the passive ftp communication
with the ftp-clients. This is in order to have the Zope server behind
a firewall blocking more then the privileged ports only.
I managed to modify the passive_acceptor within the medusa ftp server
file. The problem I have is that certain FTP clients (e.g. gftp)
close there connection because of messages coming from the server.
The code I have modified is in
/usr/lib/zope/ZServer/medusa/ftp_server.py
class passive_acceptor (asyncore.dispatcher):
ready = None
def __init__ (self, control_channel):
# connect_fun (conn, addr)
asyncore.dispatcher.__init__ (self)
self.control_channel = control_channel
self.create_socket (socket.AF_INET, socket.SOCK_STREAM)
to=open('/tmp/zope.log','a')
for i in range(1,11000):
# bind to an address on the interface that the
# control connection is coming from.
to.write(ftp connection - port %d\n%i)
bres = self.bind ((
self.control_channel.getsockname()[0],
i
))
to.write(ftp connection - bind:+`bres`+\n)
if bres == None :
break
self.addr = self.getsockname()
self.listen (1)
to.close()
Accessing the Zope-server through a firewall that has only the ports
1 to 11000 open using gftp allows the firs connection but
disconnects with an error message when I change the directory.
The error message is:
451 Server Error: socket.error, (98,'Address already in use'): file:
/usr/lib/zope/ZServer/medusa/asyncore.py line: 250
Do you have any hints on this?
Thanks and Best Regards
Tobias
--
-
Tobias Schiebeck [EMAIL PROTECTED]
International AVS Centre Manchester Visualization Centre
http://www.iavsc.org tel: (+44) 161-275-6870
-
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] The remaining spanner in the works :-)
Shane Hathaway wrote: snip Wow! That was very very cool. I look forward to helping make this all a reality in Zope 3 ;-) I'm sure I left a few things out, so ask questions about the unclear parts. It's probably more info than you were expecting. ;-) Hmm, okay, the only problem I can think that still needs solving is this: Say you're serializing to a relational database. All well and good. ...until another app comes along and modifies your relational table (pretty common usecase, othwerwise people wouldn't care as much about the storage layer...) How does the serializer/deserializer find out something has changed and propogate this back up, invalidating any cached object, etc? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] I'd like a zclass property to be a dictionary...
Michael Beaulieu wrote:
and how to do this is not clear to me..
You can't.
Don't use ZClasses.
Doing this with a Python Product would be easy :-)
def __init__(self):
self.dict = {}
cheers,
Chris
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] passive FTP to Zope with a specified port-range
Mr Tobias Schiebeck wrote: 451 Server Error: socket.error, (98,'Address already in use'): file: /usr/lib/zope/ZServer/medusa/asyncore.py line: 250 Do you have any hints on this? Sadly not, but if you get this working, please lemme know, this owuld be very cool :-) cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] passive FTP to Zope with a specified port-range
Mr Tobias Schiebeck wrote:
Hi,
I'm trying to modify the zope ftp-access to specify a port range
within the server selects the ports for the passive ftp communication
with the ftp-clients. This is in order to have the Zope server behind
a firewall blocking more then the privileged ports only.
I managed to modify the passive_acceptor within the medusa ftp server
file. The problem I have is that certain FTP clients (e.g. gftp)
close there connection because of messages coming from the server.
The code I have modified is in
/usr/lib/zope/ZServer/medusa/ftp_server.py
class passive_acceptor (asyncore.dispatcher):
ready = None
def __init__ (self, control_channel):
# connect_fun (conn, addr)
asyncore.dispatcher.__init__ (self)
self.control_channel = control_channel
self.create_socket (socket.AF_INET, socket.SOCK_STREAM)
to=open('/tmp/zope.log','a')
for i in range(1,11000):
# bind to an address on the interface that the
# control connection is coming from.
to.write(ftp connection - port %d\n%i)
bres = self.bind ((
self.control_channel.getsockname()[0],
i
))
to.write(ftp connection - bind:+`bres`+\n)
if bres == None :
break
self.addr = self.getsockname()
self.listen (1)
to.close()
Accessing the Zope-server through a firewall that has only the ports
1 to 11000 open using gftp allows the firs connection but
disconnects with an error message when I change the directory.
The error message is:
451 Server Error: socket.error, (98,'Address already in use'): file:
/usr/lib/zope/ZServer/medusa/asyncore.py line: 250
Do you have any hints on this?
Thanks and Best Regards
Tobias
passive ftp through a firewall ?
you still need to have a whole range of ports opened so what's the
point. FTP sucks and should be illegal.
you could solve the same problem using sftp (which is more secure but
moreover,
just uses 1 connection) and a FSDirectoryview.
have fun,
Sloot.
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: The remaining spanner in the works :-)
Chris Withers wrote: Shane Hathaway wrote: snip Wow! That was very very cool. I look forward to helping make this all a reality in Zope 3 ;-) I'm sure I left a few things out, so ask questions about the unclear parts. It's probably more info than you were expecting. ;-) Hmm, okay, the only problem I can think that still needs solving is this: Say you're serializing to a relational database. All well and good. ...until another app comes along and modifies your relational table (pretty common usecase, othwerwise people wouldn't care as much about the storage layer...) How does the serializer/deserializer find out something has changed and propogate this back up, invalidating any cached object, etc? I've been trying out a limited-duration cache strategy. The simplest approach is to clear the cache between transactions. Alternatively, you can clear the cache periodically. For a lot of applications this is adequate. Another approach, if you can afford it, is triggers. To do this, you have to know a lot about your database, since there is no standard way. But as I learned from AdaptableStorage, no matter what you do, you need to have conflict detection. Otherwise Zope will merrily delete a directory you just added externally, for example. This was a hard problem to solve until I stumbled on the idea of putting half of an MD5 sum in _p_serial instead of the date. (Only half because the current C code only allows 8 bytes in _p_serial. ;-) ) This works well enough to detect nearly all conflicts, even though it might not be the speediest solution. And as it turned out, as long as I had conflict detection, it didn't matter as much that the database didn't have the most recent state all the time. Zope detected conflict errors and retried the transactions, and the second time always worked. It was good. :-) Finally, here's a theoretical solution that I think would be ideal for a lot of people: if we could just ask the RDBMS for its current transaction ID, Zope could keep track of the last transaction ID it knew about, and clear the caches when another process made a change. This solution may yield the highest performance for Zope-centric applications. It would also remove the need for my MD5 hack. ;-) Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: The remaining spanner in the works :-)
I agree with Chris: *wow*! [re the original explanation] ... I'm sure I left a few things out, so ask questions about the unclear parts. Everything was wonderfully clear, except that the actual mechanism to convert the nested tuples flexibly to RDBMS record sequences escaped me a bit. This probably gets in the realm of look at the code which is what, in fact, I will hope to do. It's probably more info than you were expecting. ;-) Yes, and much appreciated. [re the solution to Chris's spanner] ... Finally, here's a theoretical solution that I think would be ideal for a lot of people: if we could just ask the RDBMS for its current transaction ID, Zope could keep track of the last transaction ID it knew about, and clear the caches when another process made a change. This solution may yield the highest performance for Zope-centric applications. It would also remove the need for my MD5 hack. ;-) This does sound good. Zope3 will rule the world! ;-) Gary ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: The remaining spanner in the works :-)
Gary Poster wrote: I agree with Chris: *wow*! [re the original explanation] ... I'm sure I left a few things out, so ask questions about the unclear parts. Everything was wonderfully clear, except that the actual mechanism to convert the nested tuples flexibly to RDBMS record sequences escaped me a bit. This probably gets in the realm of look at the code which is what, in fact, I will hope to do. I created another set of components called record storages. Their job is to load and store record sequences in a schema that matches that of a serializer. In the current AdaptableStorage code, most of them are still called a table, the old name for record storage, but when I started serializing to the filesystem I realized that table wasn't general enough! Most record storages store data in some kind of database, but other record storages act as a proxy for other record storages, converting data in one schema to another. This theoretically enables application developers and database administrators to work independently, bringing their work together through proxy record storages. Record storages are similar to SQLMethods, with the difference that record storages provide a way to both read and write a set of records. Conventionally, SQLMethods either read or write data, but not both (Though it's possible to write a SQLMethod that can read or write depending on the argument signature, that's not what they were designed to do. Instead, a record storage might consist of two or more SQL methods.) Some record storages might actually perform complex database queries that are not sensible to store. In that case, you can just raise a ReadOnlyError on an attempt to write. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] passive FTP to Zope with a specified port-range
On 2 Aug 2002 at 11:53, Mr Tobias Schiebeck wrote: I'm trying to modify the zope ftp-access to specify a port range within the server selects the ports for the passive ftp communication with the ftp-clients. This is in order to have the Zope server behind a firewall blocking more then the privileged ports only. This feature has already been added to Zope 2.6 as a patch. I originally added it to Zope 2.5, so I think you can just copy the 2.6 ftp_server from CVS and drop it into your current Zope to get it to work. Brad Clements,[EMAIL PROTECTED] (315)268-1000 http://www.murkworks.com (315)268-9812 Fax AOL-IM: BKClements ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
Likewise Im trying to digest all that and Im a little suprised. More magic in DTML? Not something I'd vote for normally. Im a little confused why this is suddenly an issue, yeah so we pull a string out of the REQUEST and thanks to DTML stack we may not know where it came from. Well thats always been there. And yeah the string may contain nasty HTML. Again that's always been there. In the past (and I cant find posts to show it) the party line was Zope is an application server and its up to the person developing the application to worry about it. Thats why ChrisW wrote stripogram and I use it in quite a few apps. One other question? Why does it matter that the string is implicitly called, why dont you taint explicitly called to? It makes me think of Perl where taint mode taints anything coming from the user? This still doesnt solve the party line and means I would like to suggest again (and this time I have the time to work on it) that we add something like stripogram or similar to the core, so that is easy for an application developer to have access to strip html and other functions from products, DTML, Python Scripts etc to easily alter, manage and make HTML safer. -- Andy McKay @gmweb Consulting http://www.agmweb.ca ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope components and revision control with cvs
--On Thursday, August 01, 2002 10:13:29 PM -0400 Shane Hathaway [EMAIL PROTECTED] wrote: It's really only a theoretical problem. To store the extra data about folderish objects, you can save the data in a hidden file called, for example, .properties. The theoretical problem is that someone might give an object that name, since it's perfectly legal. In practice, you can just prevent people from creating Zope objects with a name that starts with a dot. 99% of the users won't mind at all, and those that do can use two dots instead. :-) Doesn't Subversion support versioned emi-arbitrary properties for objects? If so, much common metadata could be expressed as properties, saving special maybe hidden files for the complex and uncommon cases. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote: Likewise Im trying to digest all that and Im a little suprised. More magic in DTML? Not something I'd vote for normally. Im a little confused why this is suddenly an issue, yeah so we pull a string out of the REQUEST and thanks to DTML stack we may not know where it came from. Well thats always been there. And yeah the string may contain nasty HTML. Again that's always been there. In the past (and I cant find posts to show it) the party line was Zope is an application server and its up to the person developing the application to worry about it. Thats why ChrisW wrote stripogram and I use it in quite a few apps. Yup. And that is still the case. However, the combination of implict REQUEST form interpolation and no HTML quoting turns out to especially dangerous, because of those situations where you *want* no HTML quoting for optional information that normally should *not* come from the REQUEST. An example is the Zope help system; there are API help pages that have optional information, which when present is already HTML. But when not present in the object hierarchy, but it *is* available in the REQUEST, the REQUEST data is used instead. The way standard_error_message deals with exceptions is another such a situation. The DTML author didn't expect the particular template slot to be filled with REQUEST data, the slot is optional, and the author has no way of preventing REQUEST data from being used. The solution we choose fixes that problem, for all existing DTML as well as future DTML. Note that ZPT does not have this problem, as it quotes by default and doesn't use implict namespaces. One other question? Why does it matter that the string is implicitly called, why dont you taint explicitly called to? It makes me think of Perl where taint mode taints anything coming from the user? Because, as explained above, its the implicit case that is dangerous. In the explicit case you are supposed to know you are working with unsafe data and thus the old rules apply. If we explicitly quoted, we hurt everyone that either did the right thing from the start and/or already knows they are playing with fire. This still doesnt solve the party line and means I would like to suggest again (and this time I have the time to work on it) that we add something like stripogram or similar to the core, so that is easy for an application developer to have access to strip html and other functions from products, DTML, Python Scripts etc to easily alter, manage and make HTML safer. The CMF now includes a basic HTML stripper. In future iterations, Tres Seaver expects this to evolve into a CMF Tool that is more generaly configurable and useable. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Calling a Python script from a
Hi, I'm searching a way to execute a ZODB untrusted python script with parameters and appropriate bindings (context, container...) from a file system Zope product. Where can I find some examples ? Thanks in advance. --Gilles ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope components and revision control with cvs
Shane Hathaway writes: It's really only a theoretical problem. To store the extra data about folderish objects, you can save the data in a hidden file called, for example, .properties. The theoretical problem is that someone might give an object that name, since it's perfectly legal. In practice, you can just prevent people from creating Zope objects with a name that starts with a dot. 99% of the users won't mind at all, and those that do can use two dots instead. :-) The real problem (in my view) are ObjectManagers that are contained in Non-Object-Managers. Furthermore, splitting/folding ObjectManagers in the sense that you start/stop managing the individual content. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Removing the acquisition wrapper from an object(Python script)
Gilles Lenfant writes: ... obj.aq_explicit.some_attr Many thanks, exactly what I needed ! It will not always work, only usually. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Removing the acquisition wrapper from an object(Python script)
Why do you say it will not always work? What situations might cause it not to work (Assuming that we already know that the object is acquisition wrapped?) Also, is there any hope of the documentation for acquisition being fleshed out a little and brought up to date? Adrian... -- Adrian Hungate EMail: [EMAIL PROTECTED] Web: http://www.haqa.co.uk - Original Message - From: Dieter Maurer [EMAIL PROTECTED] To: Gilles Lenfant [EMAIL PROTECTED] Cc: Leonardo Rochael Almeida [EMAIL PROTECTED]; Zope Developers list [EMAIL PROTECTED] Sent: Friday, August 02, 2002 8:53 PM Subject: Re: [Zope-dev] Removing the acquisition wrapper from an object(Python script) Gilles Lenfant writes: ... obj.aq_explicit.some_attr Many thanks, exactly what I needed ! It will not always work, only usually. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
