Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-09 Thread Toby Dickenson
On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote: On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote: I am about to land some big changes in the way DTML deals with data taken from the REQUEST object when accessed implicitly, in both the Zope Trunk and the Zope 2.5

[Zope-dev] __record_schema__ of Brains (Was: Record.pyd)

2002-08-09 Thread Johan Carlsson [Torped]
Hi, I'm back on the Brain track :-) What function does the __record_schema__ attribute of the Brains have? Does it do anything else when provide the has_key feature? def has_key(self, key): return self.__record_schema__.has_key(key) Best Regards, Johan Carlsson -- Torped

Re: [Zope-dev] __record_schema__ of Brains (Was: Record.pyd)

2002-08-09 Thread Casey Duncan
__record_schema__ is simply a dictionary which maps field names to column positions (ints) so that the record knows the index of each field in the record tuples. See line 154 of Catalog.py to see how it is initialized to the Metadata schema plus a few extra columns for catalog rid and scores.

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-09 Thread Martijn Pieters
On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: The risk for breakage is very small really Your choice of '' and html_quote suggests that my dtml code which generates javascript and vbscript carries a higher risk than dtml which generates html. Only if you generated that

Re: [Zope-dev] DTML and REQUEST data changes about to be checked in

2002-08-09 Thread Toby Dickenson
On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote: On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: The risk for breakage is very small really Your choice of '' and html_quote suggests that my dtml code which generates javascript and vbscript carries a higher risk than

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesabout to be checked in

2002-08-09 Thread Tres Seaver
On Fri, 2002-08-09 at 10:43, Toby Dickenson wrote: On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote: On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: The risk for breakage is very small really Your choice of '' and html_quote suggests that my dtml code which

[Zope-dev] DCOracle2 Binding Array

2002-08-09 Thread brian.r.brinegar.1
While using the DCOracle2 module outside of Zope I recieve the following traceback: Traceback (most recent call last): File /dev/fd/4, line 206, in ? File /dev/fd/4, line 206, in ? File ./modules/Calendar.py, line 193, in dayGroupView reservation = Reservation(conflict) File

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes aboutto be checked in

2002-08-09 Thread Oliver Bleutgen
Tres Seaver wrote: Martijn did add a knob to turn the feature off, via a new environment variable. With a security vulnerability, we have to come up with some kind of balance between the need to propagate the fix as quickly as possible and the need (as you point out) not to disrupt

Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changesaboutto be checked in

2002-08-09 Thread Shane Hathaway
Tres Seaver wrote: Whithout the fix, virtually every Zope site in the world is vulnerable to URL-based cross-site scripting exploits. For instance, any URL which contains invalid form variable marshalling can generate an error page which includes the erroneous value, unquoted. E.g.:

Re: [Zope-dev] DTML and REQUEST data changes about to be checkedin

2002-08-09 Thread Jeffrey P Shell
On 8/9/02 8:43 AM, Toby Dickenson [EMAIL PROTECTED] wrote: I agree it is true in most cases, but not all. Have you analysed how many applications will be broken by this? how they can detect the breakage? I certainly will not have time to assess the implications on my applications before the