[Zope-dev] 2.7.0-b2 - Critical ZPT TAL bug when using content-type text/xml

2003-09-19 Thread Richard Waid 
Yesterday I discovered a bug in ZPT for which I'm having trouble 
tracking down the source. This bug does not appear to occur in 2.6, but 
does appear to occur in both 2.7.0-b2 and 2.7.0-b1.

Basically, if you're using a ZPT with a content-type text/xml, using a 
TAL path expression to access an attribute or method causes a security 
violation (Unauthorized). It does not happen if the ZPT is using 
content-type text/html.

This is a critical bug for us, it will affect dozens if not hundreds of 
 XML producing ZPT's if we were to upgrade to 2.7 from 2.6.

I notice that someone previously reported something like this on the 
Zope list but I couldn't find a resolution (the message was a couple of 
months back), and there is a bug in the collector:

  http://collector.zope.org/Zope/1034/

To which I have added a comment, a test case and a traceback. The bug 
was talking about METAL macros, but it is almost certainly related.

Two things are known to workaround this bug:

1) ZOPE_SECURITY_POLICY=PYTHON would probably work, since I forced an 
import error in AccessControl/ZopeGuards.py to force the use of the 
python version of guarded_getattr, and that fixed the problem. Which 
might suggest the problem is in cAccessControl ... though I dropped in 
the 2.6 version of that, and it didn't seem to fix the problem (maybe 
something in cAccessControl is only trigged under this scenerio),

2) Using getattr rather than guarded_getattr in 
PageTemplates/Expressions.py, line 348. Not the best solution :)

The test case, for those too lazy to look in the collector (:)):

---

 1. Create a page template

 2. Use the text:

   http://xml.zope.org/namespaces/tal";
   tal:replace="here/id"/>
 3. Set to content-type text/html -- it should work when you test it.

 4. Set to content-type text/xml -- you will get a security
 violation when you test it (Unauthorized: You are not allowed to 
access 'id' in this context).

-

Any help tracking down this problem would be very greatly appreciated.

Many thanks,

Richard Waid
Network/Software Engineer
http://iopen.net
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] 2.6 -> 2.7 upgrade

2003-09-19 Thread Andy McKay 
Anyone got a bright idea how to upgrade users from 2.6 to 2.7? Im 
specifically thinking via the Windows installer here.

A few files (probably) have to be moved around, no problem.
Specifically Im thinking a users command line switches have to be turned 
into a ZConfig file.

Fortunately for Plone I can read the registry and convert into a 
ZConfig, but no idea what the Zope Corp installer will do... I basically 
see that there is no automated upgrade. Back it up, install the new one 
and then read the docs...
--
  Andy McKay
  http://www.agmweb.ca

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: Still i18n:attributes DeprecationWarning on Zope head!

2003-09-19 Thread Godefroid Chapelle 
At 13:24 17/09/2003, Chris Withers wrote:
I know that, the error message is fine, but there are tests that need to 
be corrected. Since you know this syntax very well, please can you check 
out the Zope HEAD, search for tal:attributes and fix and broken tests? I 
think there are only a few files that need to be changed...
Done

cheers,

Chris
--

Godefroid Chapelle

BubbleNet sprl
rue Victor Horta, 18 / 202
1348 Louvain-la-Neuve
Belgium
Tel + 32 (10) 459901

TVA 467 093 008
RC Niv 49849
___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] PCGI-Problem

2003-09-19 Thread Andre Schubert 
On Thu, 18 Sep 2003 14:32:52 +0200
Andre Schubert <[EMAIL PROTECTED]> wrote:

> Hi all,
> 
> i have a little problem.
> We have several Zope's running in our company.
> Versions are 2.5.1,2.6.1,2.6.2. All are running on Redhat Linux.
> All versions have the same problem, if i access them via pcgi and hit the Restart
> button in the Control Panel then the server goes down.
> If i do the same via ZServer port 8080 everything works fine.
> 
Hi all,

i think i have found a solution.
A patch is included for PCGIServer.py.
Could anybody check this patch please.
If there are no problems i could file a bug into the collector.

Thanks, as



--- PCGIServer.py   Wed Aug 14 23:16:50 2002
+++ PCGIServer.py.patched   Fri Sep 19 10:13:05 2003
@@ -394,5 +394,5 @@
 
 def finish(self, response):
 if response._shutdownRequested():
-self._shutdown = 1
+self._shutdown = [sys.ZServerExitCode]
 self._channel.reply_code=response.status

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )