date:20121125

[Zope-dev] WebSockets API

2012-11-25 Thread Alex Leach

Hi,

I was wondering if anyone has implemented a WebSockets server API using the 
zope toolkit? I've just submitted a blueprint on Launchpad 
(https://blueprints.launchpad.net/zopetoolkit-project/+spec/websockets-api), 
but thought it might be quicker and easier to discuss how one could do this 
here.

In theory (and practice, e.g. http://popdevelop.com/2010/03/a-minimal-python-
websocket-server/), only a very small amount of code is needed to deploy a 
secure WebSockets server. I'd be happy to have a go at doing this myself, but 
thought it would be better to implement upstream, within one of the zope 
packages.

I've been developing with grok, so I'm not too familiar with the internals of 
zope publishing, though. Please could someone point me in the right direction, 
with regards to modules and base classes responsible for parsing requests and 
performing handshakes?

Cheers,
Alex

___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

2012-11-25 Thread Tres Seaver

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/24/2012 09:07 PM, Arnaud Fontaine wrote:

 Luciano Bello luci...@debian.org writes:
 
 Hi, please see : http://seclists.org/oss-sec/2012/q4/249
 
 Can you confirm if any of the Debian packages are affected?
 
 As far as I could find (not clear in the upstream changelog):

The CVEs were not identified during the release cycles in which those
fixes were released.  Plone's hotfix includes monkey-patches for them to
permit fixing older Zope versions.

 version 2.12.26: * LP #1071067 fixes CVE 2012-5507, CVE 2012-5508. *
 LP #930812 fixes CVE 2012-5486.
 
 version 2.12.21: * LP #1079238 fixes CVE 2012-5489.
 
 According to the upstream changelog, LP #1047318 seems to fix a
 security bug, but I could not find it in zope2 launchpad nor anywhere
 else.

That bug was still in Private Security state:  I have updated it to
Public Security, so you whould be able to view it:

 https://bugs.launchpad.net/zope2/+bug/1047318

snip

 Not fixed in latest release of Zope AFAIK:
 
 * CVE-2012-5487 (allow_module.py) 
 http://plone.org/products/plone/security/advisories/20121106/03

I don't believe that this can be a bug in Zope itself:  adding
'__roles__' to a module-scope function is pointless unless the module
itself is importable by untrusted (TTW) code.  The
'AccessControl.SecurityInfo' module should *certainly* not be exposed to
untrusted code.   If some other out-of-Zope-core module which is supposed
to be importable by TTW code imports that function at module scope, then
fix *that* module instead.

 * CVE-2012-5505 (zope.traversing: atat.py) 
 http://plone.org/products/plone/security/advisories/20121106/21

That fix is also disputed:  hiding the default view from the '@@'
name does not actually improve security at all.  There is a Launchpad bug
where it is being debated (#1079225), but that bug is still in Private
Security mode.  The correct fix is to change the code of the
multi-adapter to barf if published via a URL.



Tres.
- -- 
===
Tres Seaver  +1 540-429-0999  tsea...@palladion.com
Palladion Software   Excellence by Designhttp://palladion.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCytygACgkQ+gerLs4ltQ4yfQCfV3ORolGU92gFiKqVSUvfr4Tu
fGEAoNR5bgzFnYDLkuukZ1z0OUugwJ7V
=YSuX
-END PGP SIGNATURE-
___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] zope-tests - FAILED: 6, OK: 18, UNKNOWN: 3

2012-11-25 Thread Zope tests summarizer

This is the summary for test reports received on the 
zope-tests list between 2012-11-24 00:00:00 UTC and 2012-11-25 00:00:00 UTC:

See the footnotes for test reports of unsuccessful builds.

An up-to date view of the builders is also available in our 
buildbot documentation: 
http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds

Reports received


[1]Repository policy check found errors in 277 projects
   Successful - zopetoolkit_trunk - Build # 87
   Successful - zopetoolkit_trunk_app - Build # 71
[2]Total languishing bugs for zope2: 4
[3]Total languishing bugs for zope: 72
[4]Total languishing bugs for zopeapp: 1
[5]Total languishing bugs for zopetoolkit: 206
[6]UNKNOWN : Zope-2.13 Python-2.7.3 : Linux
[7]UNKNOWN : Zope-trunk Python-2.6.8 : Linux
[8]UNKNOWN : Zope-trunk Python-2.7.3 : Linux
   Zope-2.10 Python-2.4.6 : Linux
   Zope-2.11 Python-2.4.6 : Linux
   Zope-2.12 Python-2.6.8 : Linux
   Zope-2.13 Python-2.6.8 : Linux
   winbot / ZODB_dev py_265_win32
   winbot / ZODB_dev py_265_win64
   winbot / ZODB_dev py_270_win32
   winbot / ZODB_dev py_270_win64
[9]winbot / zc.lockfile_py_265_32
   winbot / ztk_10 py_254_win32
   winbot / ztk_10 py_265_win32
   winbot / ztk_10 py_265_win64
   winbot / ztk_11 py_254_win32
   winbot / ztk_11 py_265_win32
   winbot / ztk_11 py_265_win64
   winbot / ztk_11 py_270_win32
   winbot / ztk_11 py_270_win64

Non-OK results
--

[1]FAILED  Repository policy check found errors in 277 projects
   https://mail.zope.org/pipermail/zope-tests/2012-November/069543.html


[2]FAILED  Total languishing bugs for zope2: 4
   https://mail.zope.org/pipermail/zope-tests/2012-November/069542.html


[3]FAILED  Total languishing bugs for zope: 72
   https://mail.zope.org/pipermail/zope-tests/2012-November/069541.html


[4]FAILED  Total languishing bugs for zopeapp: 1
   https://mail.zope.org/pipermail/zope-tests/2012-November/069539.html


[5]FAILED  Total languishing bugs for zopetoolkit: 206
   https://mail.zope.org/pipermail/zope-tests/2012-November/069540.html


[6]UNKNOWN UNKNOWN : Zope-2.13 Python-2.7.3 : Linux
   https://mail.zope.org/pipermail/zope-tests/2012-November/069550.html


[7]UNKNOWN UNKNOWN : Zope-trunk Python-2.6.8 : Linux
   https://mail.zope.org/pipermail/zope-tests/2012-November/069551.html


[8]UNKNOWN UNKNOWN : Zope-trunk Python-2.7.3 : Linux
   https://mail.zope.org/pipermail/zope-tests/2012-November/069552.html


[9]FAILED  winbot / zc.lockfile_py_265_32
   https://mail.zope.org/pipermail/zope-tests/2012-November/069538.html


___
Zope-Dev maillist  -  Zope-Dev@zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope )

[Zope-dev] WebSockets API

Re: [Zope-dev] Bug#692899: zope2.12: [CVE-2012-5485 to 5508] Multiple vectors corrected within 20121106 fix

[Zope-dev] zope-tests - FAILED: 6, OK: 18, UNKNOWN: 3

3 matches

Site Navigation

Mail list logo

Footer information