[Zope-dev] 2.7.0-b2 - Critical ZPT TAL bug when using content-type text/xml
Yesterday I discovered a bug in ZPT for which I'm having trouble tracking down the source. This bug does not appear to occur in 2.6, but does appear to occur in both 2.7.0-b2 and 2.7.0-b1. Basically, if you're using a ZPT with a content-type text/xml, using a TAL path expression to access an attribute or method causes a security violation (Unauthorized). It does not happen if the ZPT is using content-type text/html. This is a critical bug for us, it will affect dozens if not hundreds of XML producing ZPT's if we were to upgrade to 2.7 from 2.6. I notice that someone previously reported something like this on the Zope list but I couldn't find a resolution (the message was a couple of months back), and there is a bug in the collector: http://collector.zope.org/Zope/1034/ To which I have added a comment, a test case and a traceback. The bug was talking about METAL macros, but it is almost certainly related. Two things are known to workaround this bug: 1) ZOPE_SECURITY_POLICY=PYTHON would probably work, since I forced an import error in AccessControl/ZopeGuards.py to force the use of the python version of guarded_getattr, and that fixed the problem. Which might suggest the problem is in cAccessControl ... though I dropped in the 2.6 version of that, and it didn't seem to fix the problem (maybe something in cAccessControl is only trigged under this scenerio), 2) Using getattr rather than guarded_getattr in PageTemplates/Expressions.py, line 348. Not the best solution :) The test case, for those too lazy to look in the collector (:)): --- 1. Create a page template 2. Use the text: http://xml.zope.org/namespaces/tal"; tal:replace="here/id"/> 3. Set to content-type text/html -- it should work when you test it. 4. Set to content-type text/xml -- you will get a security violation when you test it (Unauthorized: You are not allowed to access 'id' in this context). - Any help tracking down this problem would be very greatly appreciated. Many thanks, Richard Waid Network/Software Engineer http://iopen.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] 2.6 -> 2.7 upgrade
Anyone got a bright idea how to upgrade users from 2.6 to 2.7? Im specifically thinking via the Windows installer here. A few files (probably) have to be moved around, no problem. Specifically Im thinking a users command line switches have to be turned into a ZConfig file. Fortunately for Plone I can read the registry and convert into a ZConfig, but no idea what the Zope Corp installer will do... I basically see that there is no automated upgrade. Back it up, install the new one and then read the docs... -- Andy McKay http://www.agmweb.ca ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Still i18n:attributes DeprecationWarning on Zope head!
At 13:24 17/09/2003, Chris Withers wrote: I know that, the error message is fine, but there are tests that need to be corrected. Since you know this syntax very well, please can you check out the Zope HEAD, search for tal:attributes and fix and broken tests? I think there are only a few files that need to be changed... Done cheers, Chris -- Godefroid Chapelle BubbleNet sprl rue Victor Horta, 18 / 202 1348 Louvain-la-Neuve Belgium Tel + 32 (10) 459901 TVA 467 093 008 RC Niv 49849 ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PCGI-Problem
On Thu, 18 Sep 2003 14:32:52 +0200 Andre Schubert <[EMAIL PROTECTED]> wrote: > Hi all, > > i have a little problem. > We have several Zope's running in our company. > Versions are 2.5.1,2.6.1,2.6.2. All are running on Redhat Linux. > All versions have the same problem, if i access them via pcgi and hit the Restart > button in the Control Panel then the server goes down. > If i do the same via ZServer port 8080 everything works fine. > Hi all, i think i have found a solution. A patch is included for PCGIServer.py. Could anybody check this patch please. If there are no problems i could file a bug into the collector. Thanks, as --- PCGIServer.py Wed Aug 14 23:16:50 2002 +++ PCGIServer.py.patched Fri Sep 19 10:13:05 2003 @@ -394,5 +394,5 @@ def finish(self, response): if response._shutdownRequested(): -self._shutdown = 1 +self._shutdown = [sys.ZServerExitCode] self._channel.reply_code=response.status ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )