Re: [Zope-dev] Compiled Python as an Extension file
On Thu, Jun 22, 2000 at 08:53:41AM +0200, Dr. Peer Griebel wrote: I managed to patch zope to accept compiled python files in the Extensions directory. I don't know what to do with my path. Where could I put it - into the Wiki pages? Hi Peer, Patches best go in the Collector: http://www.zope.org:8080/Collector -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope2.2.0b3 Image/File object create/upload bug (w/patch)
On Wed, Jun 28, 2000 at 11:32:48AM +0200, Adam Karpierz wrote: Please, can you explain me why this bug and path was retracted from Collector with message ?: "Retracted by submitter (in Zope-Dev mailinglist, forgot to define USE_EXTENSION_CLASS)." Sorry, that was my fault. I somehow mixed up your entries with that of Brad Clements, who had retracted his issue: http://lists.zope.org/pipermail/zope-dev/2000-June/005632.html I see that you refiled your issue. Again, apologies. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] BTreeFolder released
On Fri, Jul 07, 2000 at 01:06:06PM +0100, Toby Dickenson wrote: I'm interested, but don't have time to install it at the moment. Could someone post a gif of it's user interface please? Shane 'borrowed' Guido's time machine to post the following before you asked this: http://www.zope.org/Members/hathawsh/BTreeFolder-announce -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] BTreeFolder released
On Fri, Jul 07, 2000 at 09:10:38PM +0200, Martijn Pieters wrote: Shane 'borrowed' Guido's time machine to post the following before you asked this: http://www.zope.org/Members/hathawsh/BTreeFolder-announce Heh, I also made Shane move the screenshot to keep or News page clean.. =) So the image is now at the original Product page: http://www.zope.org/Members/hathawsh/BTreeFolder -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] Optimization and speed
On Sat, Jul 15, 2000 at 12:18:23PM -0700, Stephan Richter wrote: I have a pretty big site with quiet a big database (PostGreSQL) in the background. When a site loads I can tell that after about 5 seconds the site is ready to download. The site downloads quickly thereafter if I am on a T1, DSL or Cable Modem connection. But since most of our users have 28.8k and 56k modem connection, we have to optimize for them too. When accessing the site over a modem, it takes a long time to load the site and then it pops up all at once (in IE (AOL) and Netscape). Is there a way that I can send parts of the HTML as it is generated, so that the customer starts seeing information before the entire site is loaded. Our site is about 50% slower than our competitors sites (we are serving 62kB and the competitor has up to 203kB and is 50% faster!!!) which use PHP and ColdFusion. I know that Zope is not slower. I strongly believe it is the HTML output which is not optimized (we are going to speed up the DB connection very soon by dedicating a NIC only for the DB communication). Technical Facts: - Zope 2.1.6+PCGI+Apache - Virtual Hosts for HTTP and HTTPS - PostGreSQL 7.0 (DB size: 50MB), ZPyGreSQLDA, UserDB - ZODB threads: 4 - Web Server: Pentium 500, RH 6.1, 322MB RAM (not all used), 100 MBit NIC - DB Server: Pentium 500, RH 6.1, 322MB RAM (plenty left to use), 100 MBit NIC - dedicated subnet If someone could give me some tips where I should start looking for speed holes, please let me know. Do you think it is the DB which could be so slow and I should cache search results more, are there ZServer/Apache options I can set or anything else in Zope I should have a look at? Hi Stephan, This sounds like more of a HTML problem than a Zope problem, especially since the fast links have no trouble with the server. Zope obviously is fast enough to serve them. I bet your site heavily uses tables and images This will cause the browser to not display anything until it knows how to lay out the table. If your whole page is contained in one table, this means that your page won't pop up until the browser has seen the table end tag and knows the sizes of all images. You can help the browser a bit by making sure all IMG tags have a width and height attribute so the browser won't have to wait for the images to start to load. IIRC, Internet Explorer will even show the table without that information, and reflow the table if needed. It still will wait until it has the whole table. Only Mozilla reflows all incoming HTML on the fly, even before the end of the table is seen. When they the optimisations come in for Netscape 6 preview 3, it'll beat the hell out of Internet Explorer with this. So, if you want to make sure that your clients see something before all HTML is in, split up the table into a header and the rest, if possible. Then the browser has something to show while loading the rest of the page. This is what sites like www.cnet.com do; they show you a banner while waiting. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Errors causing half rendered pages
On Sun, Jul 16, 2000 at 10:38:41PM +0100, Chris Withers wrote: Dieter Maurer wrote: I saw this only when buggy HTML was generated. When I viewed the HTML source my Netscape browser sometimes showed me blinking parts that located the errors. Nope, this was with IE... I viewed source and sure enough, it ended after a few lines. I guess it might have something to dop with streaming HTTP output, but I don't think Zope uses that... Ideas anyone? THis rings vague bells of IIS or some other proxy server or somthing converting LF tp CRLF but not updating the Content-Length header, thus having your browser drop part of the transmission. I could be talking absolute nonsense of course. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] The Application object
On Mon, Jul 17, 2000 at 12:21:42PM -0400, Jeff K. Hoffman wrote: On Mon, 17 Jul 2000, Chris McDonough wrote: I'm not sure I understand. What is AppSingleton? What does the Instance() method do? Sorry I wasn't clear enough. The Singleton is a design pattern from the Gang of Four book that fits this situation well. It is a class that is meant to control access to the one and only instance of a global variable. I was just using that as a frame of reference, though; Zope has no such class for the Application object, or I wouldn't be writing this message. I just need some way of getting at the one and only Application object at run-time. Something like: from Globals import app myOb = app.Control_Panel.Products.MyProduct.MyZClass('foo') ... Given a reference to an object in the ZODB, I can do this via: app = self.getPhysicalRoot() myOb = app.Control_Panel.Products.MyProduct.MyZClass('foo') But, this does not work from methods like __init__, or __setstate__, where we do not have a physical location in the ZODB, yet. I just need a reference to the app object. I know the answer has to be simple, but I can't find it. See the __init__.py method of ZScheduler, which can be found on Zope.org. ZScheduler uses a Singleton as well. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] HTTP user agent?
On Wed, Jul 19, 2000 at 04:57:12PM +0900, Brian Takashi Hooper wrote: Hi Zopistas, For anyone that might know: Is there a particular reason that the User-Agent header is not part of the request data that ZServer sends in the environment to ZPublisher? It looks like the user agent can also be provided to Zope's request object just by adding a line for 'user-agent' to ZServer.HTTPServer.header2env: header2env={'content-length': 'CONTENT_LENGTH', 'content-type' : 'CONTENT_TYPE', 'connection': 'CONNECTION_TYPE', 'user-agent': 'HTTP_USER_AGENT' } Is there a particular reason this is not done? I have a HTTP_USER_AGENT in my Zope. Maybe your browser doesn't send your server the header? -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] second step (many of You are going to laungh ;-)
On Wed, Jul 19, 2000 at 09:21:01PM +0200, Vincent wrote: I just download Zope today, and I am wondering how I am going to start toding something. May somebody tell me whath is the first step to do to put a custom HTML page into ZOPE ? (I started the server, I can access the 'manage' tools - server:8080/manage), I guess I need to creat my HTML page with notepad, ultraedit or whatever, but the next step ? Creat a ZOPE object linked to this HTML page ? No idea how to do that... At the bottom of the management screen (right-hand frame) you'll find a drop down box with objects you can add. I suggest you add the Zope Tutorial (I am assuming you are using 2.2 here). -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 05:22:25PM +0100, Steve Alexander wrote: Chris Withers wrote: A string.upper wouldn't go amiss either, then earlier versions of Mozilla that send an incorrectly capitalised 'Basic' might also be allowed to authenticate with Zope :-) Heh, and allow Mozilla to gain the bug again? Zope wan't the only server Moz broke on though.. It is already there in 2.2final: if lower(auth[:6])!='basic ': ^ RFC 1945 has it as "Basic". http://www.freesoft.org/CIE/RFC/1945/67.htm RFC 1945 says one paragraph before that that the header should be matched case-insensitively. That was what the Moz bug was all about. I also checked, and this version of the patch *should* work: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". The split already takes out the whitespace. No need to strip. However, it still doesn't work if the client sends something bogus -- the tuple will only be one item long, rather than two. That is a bug in the client then. If you want to be protected against bogosity in basic authentication, you can stick with the original line, and put it inside a try-except block: # Only do basic authentication if lower(auth[:6])!='basic ': return None try: name,password=\ tuple(split(decodestring(split(auth)[-1]), ':', 1)) except: # Bogus basic authentication. Perhaps log something? return None This would mask bugs in clients. Not a good idea. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 08:36:26PM +0200, Martijn Pieters wrote: I also checked, and this version of the patch *should* work: # Only do basic authentication if lower(auth[:6])!='basic ': return None name,password=tuple(split(decodestring(strip(auth[6:])), ':', 1)) The "strip" is in there just in case a client responds with "basic base64blah" instead of "basic base64blah". Oops. You took out the strip. But IIRC, base64 does a strip as well. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 07:57:00PM +0100, Chris Withers wrote: Martijn Pieters wrote: So what was causing the original error then? Buggy client? If so, surely Zope should just return an Unauthorized error rather than exposing its internals?! If you're a server and the client is buggy, tell it so, but don't look like you just screwed up really badly ;-) Oops. Speed read fumble. We partly agree, and this is tricky. Unauthorised is wrong, it should return a Bad Request (or whatever the correct HTTP error is in this case). File a patch! =) -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 07:57:00PM +0100, Chris Withers wrote: Martijn Pieters wrote: So what was causing the original error then? Buggy client? If so, surely Zope should just return an Unauthorized error rather than exposing its internals?! If you're a server and the client is buggy, tell it so, but don't look like you just screwed up really badly ;-) I disagree. The client used is bad, this kind of error doesn't show often and serves a purpose here; fix the client! -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Incorrect Padding?
On Mon, Jul 24, 2000 at 08:56:54PM +0100, Steve Alexander wrote: I've attached a patch to lib/python/AccessControl/User.py. If there are no suggestions of improvements, or complaints :-) I'll stick it into the Collector. I looked over the RFC, and Bad Request seems to be the best response code. Agreed. *** lib/python/AccessControl/User.py.original Mon Jul 24 20:31:40 2000 --- lib/python/AccessControl/User.py Mon Jul 24 20:51:33 2000 *** *** 438,444 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! name,password=tuple(split(decodestring(split(auth)[-1]), ':', 1)) # Check for superuser super=self._super --- 438,451 # Only do basic authentication if lower(auth[:6])!='basic ': return None ! try: ! name,password=\ ! tuple(split(decodestring(split(auth)[-1]), ':', 1)) ! except: # not a proper basic auth string ! request.response.setStatus(400) ! raise 'InternalError', request.response._error_html( ! "Internal Error", ! "Zope could not understand the Basic Authentication supplied.") # Check for superuser super=self._super Would it be a good idea to add the header? And let's make that a less generic except clause, we don't want to mask Zope bugs =) -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZCatalog and ZSearch Interface
On Thu, Aug 03, 2000 at 04:07:31PM +0100, Chris Withers wrote: D'Oh! Here's the file... Chris --- ZCatalog.py.old Thu Aug 3 15:17:05 2000 +++ ZCatalog.py Thu Aug 3 15:21:25 2000 @@ -392,7 +392,7 @@ def _searchable_result_columns(self): r = [] -for name in self._catalog.indexes.keys(): +for name in self._catalog.schema.keys(): i = {} i['name'] = name i['type'] = 's' I filed this last year October as: http://classic.zope.org:8080/Collector/765/view -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Weird Data.fs corruption... zope-dev@zope.org
On Wed, Aug 09, 2000 at 10:56:44PM +0200, Dieter Maurer wrote: Martijn Pieters writes: Ai, NFS! There is a known no-no about using NFS for Data.fs storage, it leads to data corruptions. Zope and NFS do not mix. Huch, why that? I use Data.fs (occasionally) over NFS and did not yet have had problems. And appending to a file should work over NFS. Locking may be a bit more problematic, but this is not an issue provided I ensure that only on Zope process runs at a time. I don't know the details, but IIRC there are bugs and general design problems that make NFS and Zope clash. Corruption is a matter of time, we discourage people using it. Search the mailinglist archives or wait for someone else to back me up on this :). -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Acquisition in a DTML Tag
On Tue, Sep 12, 2000 at 10:57:57AM -0700, Brett Carter wrote: "Shane" == Shane Hathaway [EMAIL PROTECTED] writes: Shane Brett Carter wrote: "Brett" == Brett Carter [EMAIL PROTECTED] writes: Brett I've defined my own dtml tag (i.e. dtml-foo/dtml-foo) Brett and I am trying to look up an object depending on the Brett arguments passed to my tag. The python class that defines Brett the tag inherits from Acquisition.Implicit, but 'self' Brett doesn't contain any of the Acquisition hiarchy. It seems Brett like this must be possible, since the dtml-var tag must Brett have to do an object lookup somewhere for objects passed to Brett it to render. Can anybody shed some light on this? Is it Brett doable? TIA -Brett Ok, So after some *major* hacking, i've realized that the 'md' passed into the render() method of my dtml tag contains the namespace, and is of type 'TemplateDict' which appears to contain a stack of 'MultiMapping's. Weird. Well, anyways, I just used the 'has_key' and 'getitem' methods to lookup my item. The question now is how do I create a new object in the current namespace? It looks like the TemplateDict is a read-only type of data structure. Anybody? TIA -Brett Shane Look at render() of DT_With.py. It does an Shane md._push(mapping containing new names) then, in a Shane try/finally clause, calls DT_Util.render_blocks(). In the Shane finally clause, it does md._pop(). Shane Shane I'm still confused. Ok, so render gets passed 'md', which is a TemplateDict, which contains a MultiMapping, which looks like a stack of dictionaries, which I am guessing is some sort of namespace stack. So looking at the DT_with.py, it looks like, to create an object in the current namespace, I have to wrap it in an InstanceDict, and push it onto the 'md' using 'md._push'. Does this also cause the new object to be saved in the ZODB? Or do I have to manually add it there too? Also, what does render_blocks do? Why does DT_with.py's render() return it? Do I have to run render_blocks() to insert my new object into the namespace? TIA There are two seperate things here: The namespace, and the ZODB. I am assuming you want to add an object to the ZODB. The namespace reflects, amongst others, the attributes on the current object, and if it inherits from Acquisition.Implicit, the rest of the ZODB contents. You can add additional lookup objects to that stack, and anything using the namespace can then access those extra attributes. (render_blocks() is just a call to render all DTML contained within the with tag, and the with tag then removes all additions to the namespace again with md._pop() at the end.) If you want to manipulate the ZODB, you can just take a reference to the object you want to manipulate (add subobjects to), and add these directly as attributes. Or better still, if the object inherits from ObjectManager (like a Folder), use the ObjectManager API to add objects. If the subobjects in question are standard Zope objects, use the Class Factory API that the 'Add' list in the management interface uses. Important to remember is here that the namespace only gives you access to the objetcs. Adding to the namespace only gives you a larger namespace, which only has meaning in the context of the current DTML code tree. If you want to manipulate the ZODB contained objects, manipulate them directly. -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Custom dtml tag
On Tue, Sep 12, 2000 at 09:26:49AM -0700, Andy McKay wrote: Hmm well ive found i have TemplateDict object and of course my self. Perhaps there is a pythonism I have to research here. - Original Message - From: "Andy McKay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 11, 2000 4:03 PM Subject: [Zope-dev] Custom dtml tag Im playing with a custom dtml-tag along the lines of dtm-query foo constructs a url to a catalog query. It works fine, I would just like to extend it a bit and for this I would need to get to the calling object. For example, there will be a different query depending upon the object the dtml-query tag is contained in. Does this make sense, does anyone know the answer? Thanks in advance. -- Andy McKay, Developer. ActiveState. The namespace just reflects the attributes of the current object, plus whatever other tags push onto that stack (such as the in tag, which pushes the current element of the list it iterates over on top). If you retrieve the 'this' method from the stack, and call it, it'll return the topmost object on the stack. It is implemented in SimpleItem.Item: def this(self): # Handy way to talk to ourselves in document templates. return self -- Martijn Pieters | Software Engineermailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | ZopeStudio: http://www.zope.org/Products/ZopeStudio - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Please help - Persistent dictionary keys
On Thu, Sep 21, 2000 at 08:00:29AM -0500, John D. Heintz wrote: Thanks for the reply Martijn, I do want the objects of Test2 class to be compared by identity, like I'm assuming Test1 objects are. If I have to define __cmp__ and __hash__ then I will basically be making them up because the object in question are mutable - except for their identity. I don't think that in this case __cmp__ has to be implemented; you just use the default behaviour of object identity comparison. All you need to do is then implent a __hash__() method that will return a 32-bit integer that is unique to the object. You could base this on repr(self). Why do the Python class instances naturally act as dictionary keys while the ExtensionClass instances don't? ExtensionClasses pretend to be Python classes, but are not succeeding everywhere. I am not that deeply knowledgable about Extension Classes, so I cannot tell you why exactly you see this difference. Martijn Pieters wrote: From the Python Library Reference: """A dictionary's keys are almost arbitrary values. The only types of values not acceptable as keys are values containing lists or dictionaries or other mutable types that are compared by value rather than by object identity.""" ... So, if you want to be able to use a Persistent based object as keys to a dictionary, implement __cmp__ and __hash__ methods on that class: import ZODB from Persistence import Persistent class Test1: ... pass ... class Test2(Persistent): ... def __cmp__(self): return 1 ... def __hash__(self): return 1 ... dict = {} t1 = Test1() t2 = Test2() dict[t1] = 1 dict[t2] = 2 dict {Test2 instance at 80b3aa0: 2, __main__.Test1 instance at 80a3e78: 1} -- John D. Heintz DataChannel, Inc. Senior Engineer 512-633-1198 [EMAIL PROTECTED] -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Pending bugs in collector - how do I send this patch?
On Mon, Dec 11, 2000 at 03:16:51PM -0500, Brad Clements wrote: I have found a bug in ZSQL methods that is describe by this collector item: http://classic.zope.org:8080/Collector/718/view This item was posted over a year ago! The bug is still in the program, so I'm guessing that DC folks are too busy to get to this. Hi Brad, That looks like a damn good catch! The best thing you can do is create a new Collector entry and just say that this is a fix to collector item 718. This way your fix will not be overlooked so easily. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] POST METHOD
On Tue, Dec 19, 2000 at 06:44:35PM -0200, Anderson Ami wrote: Is there a data limit if I am using the POST method ?I have been doing a form that has some input fields, when I do the post I receive a Zope Error The Zope donĀ“t get one form field, but this one exists). Some older browsers have a limit to the amount of data they send in a request, usually around 64k. On the other hand, you may want to examine what is actually in the REQUEST object. You can view the contents by including the REQUEST object in your page: dtml-var REQUEST -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Performance enhancements, ZCatalog
On Wed, Dec 20, 2000 at 12:56:36AM +, Jason Spisak wrote: ZCatalog enthusiasts, I just upgraded our zope installation from 2.1.6 to 2.2.4, and the ZCatalog performance is aweful. Can someone remind me what the command for speeding up python on a dual processor machine is? python -T? I'm looking for any way to speed this up. I have a text index with 47,000 objects and a search takes about 15-18 seconds, hardly what we were used to. It used to be 2 second tops. That's z2.py -i: -i n Set the interpreter check interval. This integer value determines how often the interpreter checks for periodic things such as thread switches and signal handlers. The Zope default is 120, but you may want to experiment with other values that may increase performance in your particular environment. Increase or decrease the number n and play with ab or some other load testing tool -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] HiperDom-0.4.0-DC released
Hi all, I created a special release of HiperDom 0.4.0 (versioned as 0.4.0-DC), with fixes and additional features. This release is ment for experimentation with new features added by Digital Creations, and we'd appreciate feedback on these. The README attached to this email lists all differences. You can download the release from: http://www.zope.org/Members/mj/HiperDom Note that all fixes to HiperDom problems have been checked into the HiperDom CVS tree, a future release of HiperDom will include these fixes. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - This is the Digital Creations' release of HiperDom 0.4.0. Differences with the Hiperlogica release are listed below. This release depends on Zope 2.2.5 for correct XHTML output of base and image tags. This release is ment for experimentation with new features added by Digital Creations. HiperDom is a new template system for Zope, based on XML and DOM. It depends on the PyXML library, version 0.6 or newer. Consult the HelpSys for info on using HiperDom Templates. The "official" HiperDom homepage is at http://www.zope.org/Members/lalo/HiperDom where you will also find the HiperDom Wiki (the "official" place for discussion, bug reporting and embrionary documentation). Discussion about the development of HiperDom takes place on the "HiperDom Wiki":http://dev.zope.org/Wikis/DevSite/Projects/HiperDom. Differences with the Hiperlogica 0.4.0 release: - The calling interface has been refactored; HiperDom templates now behave exactly like DTML Documents. This fixes the trailing slash problem in base tags inserted into XHTML documents. - Inclusion of non-callable objects (like Image objects) has been fixed. - Names can now also be paths, so you can include references to objects normally not in the acquisition path. Example:: div hdom:text="images/header.gif" / - XHTML output of empty elements will include an extra space before the slash to ensure compatibility with older browsers. - A new directive, 'call', allows calling of objects without including their return values. This is especially suitable for methods that manipulate the RESPONSE headers or have other side-effects. - A new directive, 'include', allows inclusion of other HiperDom templates into the DOM at render time. - The DataObject object is not included in this release. - Some non-relevant files have not been included (exemplo_pt.html and HiperDom.latte). Issues with this release can be listed on the "ImplementationIssues page":http://dev.zope.org/Wikis/DevSite/Projects/HiperDom/ImplementationIssues. Feedback is greatly appreciated!
Re: [Zope-dev] Acquisition wishlist :-)
On Thu, Jan 04, 2001 at 10:46:35AM +, Chris Withers wrote: Dieter Maurer wrote: acquisition.donotacquire('index_html') This would be great. Indeed :-) class MyClass (Acquisition.Explicit): acquisition = ClassAcquisitionInfo() acquisition.acquire('index_html') acquisition.acquire('fred') You already can do that, though with a different syntax (I would need to search for in the documentation). You may mean that if x is an Acquisition.Explicit object, you can do: x.aq_acquire('your_attribute') (syntax may be wrong ;-) What I meant is that through a declaration in the class you could saying acquire the 'your_attribute' attribute but nothing else. So, you could still do: x.your_attribute ...which would be acquired, but... x.index_html ...which wouldn't be acquired. You could use ComputedAttribute for that: class MyClass(Acquisition.Explicit): # The following attribute is acquired transparently def _acquired_your_attribute(self): return self.aq_acquire('your_attribute') your_attribute = ComputedAttribute(_acquired_your_attribute, 1) # index_html isn't index_html = None Or you could define a __getattr__ that does a lookup in a list for explicetly acquired attributes: _acquired = ('index_html', 'fred') def __getitem__(self, key): if key in self._acquired: return self.aq_acquire(key) raise AttributeError, name -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: ComputedAttribute
On Fri, Jan 05, 2001 at 12:22:32PM +, Chris Withers wrote: Martijn Pieters wrote: You could use ComputedAttribute for that: class MyClass(Acquisition.Explicit): # The following attribute is acquired transparently def _acquired_your_attribute(self): return self.aq_acquire('your_attribute') your_attribute =ComputedAttribute(_acquired_your_attribute, 1) # index_html isn't index_html = None That looks cool :-) Where's it documented? what does the 1 mean? Erm. The ExtensionClass.stx documentation hints at a ComputedAttribute class (but as an example of how you could use an ExtensionClass). The current C implementation of ComputedAttribute is not, as far as I can see, documented. As for the '1', the CVS log has the following to say on that: Added second "level" argument for computed attributes. This makes it easier to create computed attributes that work with acquisition. Normally, computed attributes are called with unwrapped objects. Passing a level of 1, causes computed attributes to be called with one level of wrapping. Note that the innermost (single) level of wrapping typically reflects a containment context with any extra access contexts stripped off. As I understand it, it makes self.aq_acquire possible. See also: http://cvs.zope.org/Zope2/lib/Components/ExtensionClass/ComputedAttribute.c -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Acquisition wishlist :-)
On Mon, Jan 08, 2001 at 10:10:34AM +, Chris Withers wrote: Dieter Maurer wrote: Chris Withers writes: And I suppose the other part of my wishlist: class MyClass(Acquisition.Implicit): # your_attribute will be acquied # index_html won't index_html = None No, that is not enough! As a side effect to turn off acquisition, you defined the attribute. This will not play well with inheritance: You will not only prevent acquisition of "index_html" but also prevent inheritance of it (which may be really necessary in some contexts). I'm pretty sure inheritence takes precedence over Acquisition. You wouldn't need to have index_html = None if it is inherited, since the inherited idnex_html would be used before one is acquired, surely? Yup. If you don't want to have any index_html *at all*, just declare it index_html = None. DTML Methods and HiperDom templates do this as well, for example. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Acquisition wishlist :-)
On Mon, Jan 08, 2001 at 10:38:22PM +0100, Dieter Maurer wrote: Martijn Pieters writes: On Mon, Jan 08, 2001 at 10:10:34AM +, Chris Withers wrote: You wouldn't need to have index_html = None if it is inherited, since the inherited idnex_html would be used before one is acquired, surely? Yup. If you don't want to have any index_html *at all*, just declare it index_html = None. DTML Methods and HiperDom templates do this as well, for example. You have an "index_html" and its value is "None". If you use this class with another class that has a useful "index_html", you must care for the inheritance order to get the right on. Of course, but you always have to. index_html in any class could be anything. You could even override the inherited 'index_html = None' with 'index_html = Acquisition.Acquire'. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
On Mon, Jan 08, 2001 at 11:19:36AM -0500, Jason Cunliffe wrote: The need to improve the manage interface has grown urgently clear to me while using Zope myself, designing for all sorts of community and collaborative Zope-based projects, demos for a number of innocent bystanders, interested parties and potential clients. Zope 'manage' is plain primitive at present. Considering the power of Zope, and the real workflow needs of people working with it, imho this present lack of thoughtful user interface makes no sense. By ignoring these basics, Zope is neglecting a #1 self-promotion opportunity - how it runs out of the box, and how quickly one can use it as site-planning/design tool.It is quite unproductive now compared to what it could/should be. I am looking for real help here on how best to improve this... Here is a list of features I believe should be default manage screen behavior now. Please submit your comments and improvements to these improvements: KISS For those who do not want any added features, there should be an option in z2.py or as a manage_config DTML method in "/" or anywhere else in the tree to enable or disable 'advanced manage' features. --- 1. SORT TABLE 'manage' needs to presented with basic column listings so one can display sort by headings. I am not sure if this turns into a CatalogAware Inferno or whether all this info is already hidden in the ZODB and could be extracted adn cached sensibly and quickly. What do you think? For example some headings I see a real need for: NAME [default now], DATE[created, last modified] SIZE, TYPE[meta-type], USER[default=owner], DEPTH, COUNT, CHANGES, PROPERTY, DISPLAY The created date is not available in the ZODB. Depth I rather not use; you don't want to wake up a huge subtree (like the Zope.org Members folder) when determining the depth of a tree. There has been some discussion about using the 'title' attribute of HTML tags to add additional mouse-over visible information to objects, I think a lot of the information fields you describe may have a place in that field (and not clutter up the view). SNIP How easy hard is the above to do? Has it already bee done? What techniques/components exists already to make it happen? What need to be developed? How does this affect Zope core? What woudl you like to see when you click on manage? What would you lceints liek to see? If you check out Zope 2.3 from CVS now, you'll see that a great many changes have been made to the Zope Management Interface, included some of the changes you listed, like sorting. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
On Mon, Jan 08, 2001 at 12:18:37PM -0500, Mohan Baro wrote: Are you planning a manage_install for products? The ability for superusers to install complelte products directly through the management interface, no need for ftp. similar to import/export feature I hope not! Anyone gaining management access to your Zope server will be able to install arbitrary products on your server and gain access to the file system. There is a strict dividing line between the file system and the ZMI, allowing installation through the web interface will cross that line with one giant step. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: ComputedAttribute
On Wed, Jan 10, 2001 at 04:13:49PM +, Chris Withers wrote: Martijn Pieters wrote: Erm. The ExtensionClass.stx documentation hints at a ComputedAttribute class (but as an example of how you could use an ExtensionClass). The current C implementation of ComputedAttribute is not, as far as I can see, documented. Now I think I know the answer to this one, but I'll ask just to be sure: class MyClass(Persistent Acquisition.Explicit): def _set_your_attribute (self,value): self._v_your_attribute = value def _get_your_attribute (self): return self._v_your_attribute your_attribute = ComputedAttribute(_get_your_attribute) ...with this class, your_attribute isn't going to play in Persistence, is it? (so I can update it lots without worrying about ZODB size growing... :-) Yup, this allows you to alias your_attribute to _v_your_attribute without creating an attribute that *will* persist in the process. Hmm... more questions: If I do: x = MyClass() x.your_attribute = 1 ...what happens? your_attribute is set to one instead of the ComputedAttribute instance and concequently persisted. If you want _set_your_attribute to be called, you need to override __setattr__: def __setattr__(self, name, value): setter = getattr(self, '_set_' + name, None) if setter: setter(value) else: raise AttributeError, "no such attribute: " + `name` Where do you import the ComputedAttribute module from? from ComputedAttribute import ComputedAttribute -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: ComputedAttribute
On Wed, Jan 10, 2001 at 05:07:07PM +, Chris Withers wrote: If you want _set_your_attribute to be called, you need to override __setattr__: def __setattr__(self, name, value): setter = getattr(self, '_set_' + name, None) if setter: setter(value) else: raise AttributeError, "no such attribute: " + `name` Hmmm... how would you change this to call the __setattr__ that was there before you overrode it, if a setter could not be found? The same way you call any overridden method, by calling it on the class you inherit it from. So: class Foo: def __setattr__(self, name, value): # Whatever pass class Bar(Foo): def __setattr__(self, name, value): Foo.__setattr__(self, name, value) # More whatever -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: ComputedAttribute
On Wed, Jan 10, 2001 at 11:09:43PM +0100, Dieter Maurer wrote: Chris Withers writes: Now I think I know the answer to this one, but I'll ask just to be sure: class MyClass(Persistent Acquisition.Explicit): def _set_your_attribute (self,value): self._v_your_attribute = value def _get_your_attribute (self): return self._v_your_attribute your_attribute = ComputedAttribute(_get_your_attribute) with this class, your_attribute isn't going to play in Persistence, is it? (so I can update it lots without worrying about ZODB size growing... :-) But, as I understand it, it is only updated in the thread that did the update. Your next request may get a different thread and see a different value. Indeed, only persistent variables are shared between threads (and globals of course, which creates a need for some kind of protection). -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: ComputedAttribute
On Wed, Jan 10, 2001 at 11:37:55PM -, Chris Withers wrote: Chris Withers writes: with this class, your_attribute isn't going to play in Persistence, is it? (so I can update it lots without worrying about ZODB size growing... :-) But, as I understand it, it is only updated in the thread that did the update. Your next request may get a different thread and see a different value. Huh? If I change self._v_your_attribute it's only going to get updated in one thread? That's a bit sucky :-S Doesn't matter in this _particular_ case 'cos this var gets set at the start of every request, but I'm a bit concerned about its general use... any help is good help :-) The whole threading spiel in Zope works because of ZODB persistence; any thread accessing an object whose variables have been changed has to retry with a fresh copy from the ODB. But because _v_* variables don't get pickled, another thread will never see them. If you want non-persisting (volatile) variables shared between threads, you'll have to devise your own mechanism for assuring the thread-safety of those variables. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] first zope-2.3.0a2 bug :-)
On Thu, Jan 11, 2001 at 11:54:04AM +0400, Jephte CLAIN wrote: well, this one is easy. 8-- --- lib/python/Shared/DC/ZRDB/Aqueduct.py.origThu Jan 11 10:59:42 2001 +++ lib/python/Shared/DC/ZRDB/Aqueduct.py Thu Jan 11 10:58:01 2001 @@ -272,7 +272,7 @@ custom_default_report_src=DocumentTemplate.File( -os.path.join(dtml_dir,'customDefaultReport.dtml')) +os.path.join(dtml_dir,'dtml/customDefaultReport.dtml')) def custom_default_report(id, result, action='', no_table=0, goofy=regex.compile('[^a-zA-Z0-9_]').search 8-- Bingo. I checked this one in, and another for the new CatalogPathAwareness mixin. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] _v_ variables
On Thu, Jan 11, 2001 at 10:26:18AM +, Chris Withers wrote: Martijn Pieters wrote: But because _v_* variables don't get pickled, another thread will never see them. Hmm, is there any situation where a single request can be handled by more than one thread? Nope. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope] Found an fatal error in Zope 2.3.0 :)
On Wed, Jan 31, 2001 at 12:59:55PM +0100, Radek Hnilica wrote: Hello all, While trying to debianize, compile and install new zope 2.3.0 I found that file z2.py doesn't contain necesary first line. I look to previous version 2.2.4 and there it is. #!/usr/bin/env python The source was taken from zope.org. I'v also look at CVS and there it's missing to. The line has been added by the maintainer of the Debian package of Zope, Gregor Hoffleit. The line was never there in Zope CVS. Zope binary and source distributions use a shell script called 'start' to run z2.py with the python interpreter. Read the documentation that comes with the source distribution. You can of course always add the line yourself. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Profiling Products
On Wed, Feb 07, 2001 at 04:04:24PM +, Andy Dawkins wrote: I have a desire to be able to profile my Python Product so that I can benefit from the advantages of profiling. Has anybody done this? Does anybody know how to do this? I have tried profiling Z2.py but of course that doesn't drop down to the level of the python product (Possibly running in a different thread - or something :( ) Have a look at: Control Panel - Debug Information. There is a 'Profiling' tab that explains what you have to do to switch it on. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ThreadSafeCounter 0.0.1 released
On Mon, Feb 12, 2001 at 01:31:04AM +0100, Morten W. Petersen wrote: As I've understood it, two threads serving requests have a copy each of the database, and only when changes are committed are they reflected in the database. Therefore, two requests created at the same time could get an identical copy and therefore and identical value. The ZODB will invalidate and force a retry on one of the connections. Chris's code is threadsafe and will result in unique, sequential values. See the ZODB UML documentation for details: http://www.zope.org/Documentation/Developer/Models/ZODB/ -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ThreadSafeCounter 0.0.1 released
On Mon, Feb 12, 2001 at 02:27:24PM +, Toby Dickenson wrote: On Mon, 12 Feb 2001 10:27:02 +0100, Martijn Pieters [EMAIL PROTECTED] wrote: The ZODB will invalidate and force a retry on one of the connections. Chris's code is threadsafe and will result in unique, sequential values. ** Unless a transaction gets retried for some other reason, when it will appear to skip a value. To one thread, yes. But not to the whole application. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Unindex_Object, bug (Again)
On Tue, Feb 20, 2001 at 01:38:26PM +, Chris Withers wrote: Steve Alexander wrote: Can we please get rid of it this time?? Do I need to submit anything to the collector for this to happen? It is already fixed in 2.3 from public CVS. But, ominously, not in the 2.3.1b1 release ;-) Probably because the fix was checked in *after* the 2.3.1b1 release. Steve was pointing out tthat the fix is on the 2.3 branch, which means it will be in the next 2.3 series release (likely to be 2.3.1). -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Editing DTML Documents
On Tue, Feb 20, 2001 at 03:54:29PM +0100, Philipp von Weitershausen wrote: Hi there, Is there an efficient way to use an external editor to edit DTML Documents? Some people in my homepage group are tired of the ZMI and I can understand them, especially because of a lack of syntax highlighting. There is the possibility of copy'n'paste and upload again, but that's ugly. I also read that development on the Mozilla-based management tool is not continued. (That's sad, BTW...) Could I use WebDAV (don't have any experience with it) to retrieve and save the DTML source? If so, is there a good HTML source code editor (don't want WYSIWYG!) for Windows or Linux supporting WebDAV? Any suggestions welcome! You can use HTMLKit: http://www.chami.com/html-kit It supports FTP better than any other Windows tool I know; it can optionally open files without an extension inside itself. This is a god-sent for DTML objects like standard_html_header. There aren't any WebDAV enabled editors I know of that actually make use of the added functionality of WebDAV server; they treat it like any other FTP server. The only exception is Adobe GoLive 5; it uses WebDAV properties and locking extensively; but you said No WYSIWYG.. :) -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] manage_main select ... / don't work with Mozilla
On Thu, Mar 15, 2001 at 08:32:14AM -0700, Casey Duncan wrote: Cyril Elkaim wrote: Hi, The last builds of Mozilla do not accept anymore this kind of HTML tags: select / I have discuss with Moz developers and they say it's not in the standard. So now we must use something like select All the other tags must follow the same syntax, of course. The problem with the management interface of Zope is it uses '/' in many places. So it's not possible to use Moz for creating new objects for example. So should it be possible to do something about it :-) Cyril So then Mozilla doesn't support XHTML?? That is where that whole trailing slash convention is coming from. Hmm.. I am not sure if the Mozilla people are interpreting this right. The XHTML spec does say that tags that must have a seperate closing tag according to the HTML spec (they are not empty, they just don't have content), are best rendered in XHTML with a closing tag as well. But, wether or not the Mozilla browser is right in rejecting select / and p /, if the Zope DTML contains such tags, we are not following the XHTML recommendation and I consider that as a bug. Could you someone file a Collector issue? -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZPT trials and tribulations
On Fri, Mar 16, 2001 at 04:59:16PM -, Phil Harris wrote: All, I'm in the process of trying out the ZPT stuff(thanks to Duncan Booth for the win32 stuff). Anyway up, It's all going according to plan but I have a few issues, maybe someone has a better idea than me what's wrong here. code starts here ?xml version="1.0" ? html xmlns:tal="http://xml.zope.org/namespaces/tal" xmlns:metal="http://xml.zope.org/namespaces/metal" head title tal:insert="here/title"The title/title /head body h2 tal:insert="here/title_or_id"the title/h2 div tal:define="ui python:container.userInfo()" b tal:replace="python:ui['dn']"crap/b b tal:replace="python:ui['sn']"crap/b b tal:replace="python:ui['cn']"crap/b /div hr / a href="index_html"click here to refresh/a /body /html /code ends here The problem is that I'm getting a traceback (I won't bore you with the details unless I have to) to the effect of 'ui' being unknown. If I replace the 'div' in the code above with: b tal:replace="python:container.userInfo()['dn']"crap/b b tal:replace="python:container.userInfo()['sn']"crap/b b tal:replace="python:container.userInfo()['cn']"crap/b then all works according to design, but with a lot more overhead. btw, the userInfo method returns a dictionary of LDAP information, it works in all other contexts, so I don't think the problem is there. As Ethan said, the release you are using doesn't yet support access to defined variables in python. Instead, try the following: div tal:define="ui python:container.userInfo()" b tal:replace="ui/dn"crap/b b tal:replace="ui/sn"crap/b b tal:replace="ui/cn"crap/b /div It will be much more readable, and it removes a layer of interpretation too. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] INSTANCE_HOME vs. SOFTWARE_HOME
On Sun, Mar 18, 2001 at 10:18:52PM +0100, Morten W. Petersen wrote: Hi guys, some people have asked me to use INSTANCE_HOME instead of SOFTWARE_HOME, which breaks their products on debian distros. Now, I'm not sure that won't break other systems if I change it; anyone care to share? What are you using the variable for? If you want to reach the var, import or Extensions directories, use INSTANCE_HOME, if you want to reach a Products directory, use both variables. On Debian systems, Zope is by default installed as a seperate INSTANCE_HOME and SOFTWARE_HOME system. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] z2.py and environment variables
On Wed, Mar 21, 2001 at 03:14:33PM +0100, Dario Lopez-K?sten wrote: I am trying to understand how z2.py and enviroments variables work, so = that I can have complete control of how I start Zope. = I-am-not-a-Python-programmer-yet, so I apologise in advance if the = question is a stupid one. Given the possibility to use INSTANCE_HOME etc, can I override most of = the uppercase variables defined in z2.py by setting and exporting them = in my /bin/sh script or are the only "overridable" variables the ones = defined and used in=20 lib/python/App/FindHomes.py? My guess would be the ones in FindHomes.py, as calls like=20 try: home=3Dos.environ['SOFTWARE_HOME'] seems to have something to do with it :-) You can override them by setting environment variables. For a specific example where INSTANCE_HOME is set see: http://www.zope.org/Members/4am/instancehome -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZEO question.
On Fri, Mar 23, 2001 at 10:23:23AM +, Chris Withers wrote: Firstup, a quickie, where's the ZEO list gone? http://lists.python.org/mailman/listinfo/Zope-ZEO ...gives me: No such list zope-zeo It was renamed ZODB-Dev somewhere last month: http://lists.python.org/mailman/listinfo/ZODB-Dev -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope 2.3.1b3 problem
On Mon, Mar 26, 2001 at 10:49:47AM +0100, Andy Dawkins wrote: Phil Harris wrote: Andy, Try print container.getId() return printed hth Phil That doesn't work either. Prehaps I should have been more specific. Generally _any_ calls on the container result in this error. I used 'container.id' because this is the simplist one to reproduce. In actual place where I am having this problem is where the container is a foldish product writen by NIP. But the fact that it is reproducable with the standard Zope Folder shows that something is fubar. I suspect the way container is implemented in PythonScript but I (personnaly) don't want to jump in that peice of code unless absolutely necersary. I'd file this in the Collector, I have seen another problem with Python Scripts that seems related on the lists somewhere, I think something changed out from under Ethan's feet.. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [ZWeb] 'All Hotfixes' page (was Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6)
On Thu, Mar 29, 2001 at 03:15:26PM +0200, Gregor Hoffleit wrote: On Thu, Mar 29, 2001 at 02:34:47PM +0200, Gregor Hoffleit wrote: I had read the start of the README (like you wrote: 'Zope versions up to and including Zope 2.2.2.'), but I had quoted and paragraph that indeed implied an answer to my question ('will work for all versions of Zope 2.2.0 and higher.'). A last word on this: http://www.zope.org/Products/Zope/hotfixes is really a mess and very hard to read. Would it be possible to redesign that page so that it's more obvious which Hotfixes apply to which version. Currently the page is so flat that it's even hard to tell which paragraph applies to which Hotfix. Have a look at http://www.zope.org/Products/Zope/hotfixes, I think it is exactly what you need. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [ZWeb] 'All Hotfixes' page (was Re: [Zope-dev] Problem with Hotfix 2000-10-11 on 2.1.6)
On Thu, Mar 29, 2001 at 01:27:08PM -0500, Shane Hathaway wrote: Have a look at http://www.zope.org/Products/Zope/hotfixes, I think it is exactly what you need. Huh? You repeated the URL he supplied... and I'd like to know if there is indeed a better URL. Duh. Copy, paste, send. Who cares about editing the URL. :0 The correct URL is: http://www.zope.org/Products/Zope -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RE: [Zope] REQUIRING Python 2.1??
On Fri, Apr 13, 2001 at 12:10:52PM -0400, anser wrote: You may have more than one Python installation on a machine. This in no way forces you to move "all of your applications" to 2.1. The binary releases in particular make this drop-dead easy; they come with a bundled Python, and do not affect any other Python you may have in any way. right, but by the same token the binary releases won't require special warnings to people about upgrading to 2.1. We made no such warnings. We warn people that follow the bleeding-edge head of the trunk taht we will be switching soon. And note that Zope is a pretty diverse community - just because i18n is not very important to _you_ does not mean it is not important. There are plenty who consider it hugely significant, and who are at least as perturbed that we _haven't_ done this yet. The question is not whether i18n ought to be done, but whether you ought to require upgrading to Py 2.1 to achieve it. Yes, we will require 2.1 to do that, because Unicode support in 1.5.2 is not by far adequate for our needs. The pain of trying to support our own Unicode libraries is too great to justify keeping to support 1.5.2. THis is apart from the other advantages that Python 2.1 offers. On the basis of prior performance I do not expect this objection to make any difference in what DC does, but I needed to express it anyway. You may find that making your objections in a less inflammatory way will give them more impact. I do not know how one would measure "impact" in order to test this proposition. If "impact" means changing DC policy or software in any way, then I suspect as previously stated that hearts+flowers wouldn't get it done either. If "impact" means that the question would get a response, well, this thread's existence may be a counterexample. What I do know is that requiring an upgrade to a not-yet-gold Py release as a prerequisite to the next Zope release is unwise software policy. That is not the policy. The Zope 2.4 release will require 2.1, and development of that release will start *after* Python 2.1 goes gold. This is clearly stated in the linked documents in the warning email. The next stable release may very well (very probably) be a 2.3.3 release. Which will still be a Python 1.5.2 release. I have the idea that you think that either the 2.3.x line will switch to Python 2.1 now (and 2.3.3 is to be released soon) or that no more development on the 2.3.x line will occur. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope cut paste behaviour
On Sat, Apr 14, 2001 at 04:37:26PM +0200, Ivo van der Wijk wrote: Hmm - we can't just set it to '/', because some people have multiple Zope instances mapped to a domain (ex: my.com/foo/ and my.com/bar/ are aliased to two different Zope instances). I think what we need to do is figure out the "virtual" root url and set the cookie with that path. This sounds difficult. Wouldn't it be easier to use some sort of unique zope instance id (if none exists: something like the hostname + port the zope is running on) and use this in the clipboards cookie name? No, it's quite easy, the REQUEST object has several variables that take care of this (like REQUEST.BASEPATH1). Note that cookies are already bound to a particular hostname and port number, you can at most make them bind to a domain name instead, but this in not the default behaviour. And it wouldn't solve the problem in this situation. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: RackImage
On Mon, Apr 16, 2001 at 06:37:57PM -0700, Charlie Blanchard wrote: On Tue, Apr 17, 2001 at 11:11:33AM +1000, Itai Tavor wrote: [...] Here it is. Hope any of it is any help. My Mutt emailer calls the .tgz file a mac-binhex and none of the usual utilities recognize it as .tgz formatted. Anyone else have the same problem? What's the magic key to decode this attachment? Mr. Bernstein had packaged up the file as a gzipped tarball indeed, but then his mailer must've wrapped it up in a BinHex wrapper. I happened to have megatron installed (the excellent mac fileformat converter part of the netatalk package, more info at http://rsug.itd.umich.edu/~tombeau/netatalk/) and I pealed of all the layers. I attached a gzipped copy of the file (no tarbal needed, it is only one file after all). Hope this helps! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - Photo.py.gz
Re: [Zope-dev] WebDAV locking module?
On Thu, Apr 19, 2001 at 09:43:02AM +1000, [EMAIL PROTECTED] wrote: Colour me confused... I just downloaded the 2.3.2 beta tarball and tried to run our application against it. It appears that the locking module (webdav.Lockable) is missing from webdav. We develop against the CVS, and the file is there. It has been since 2.3.1 CVS - though the 2.3.1 tarball doesn't seem to have the module either... No it hasn't. It is in the trunk CVS, the 2.3 branch does not have the WebDAV locks feature. Are you sure your CVS checkout is a branch checkout? -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] CVS trunk vs 2.3 branch (Was: WebDAV locking module?)
On Fri, Apr 20, 2001 at 08:49:12AM +1000, [EMAIL PROTECTED] wrote: I checkout the source using the command on the zope web site: % cvs -d :pserver:[EMAIL PROTECTED]:/cvs-repository login % cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository checkout Zope2 What's this branch you speak of? That is the trunk, the main line on the CVS server, that you are checking out. Once a Zope second-dot version goes gold, however, it gets it's own release branch, onto which we only check in bug fixes and very small features (if they are of direct benefit). So, the Zope 2.3 series has its own branch, called zope-2_3-branch. To check out from that branch, add '-d zope-2_3-branch' to your checkout command (I use the short 'co' for it): % cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository co -d zope-2_3-branch Zope2 Or you can switch an existing CVS sandbox to that tree by using the update command ('up' is the short version) in the root directory of the sandbox: % cvs -z7 up -d zope-2_3-branch Don't forget to recompile the extensions! Especially if you are using the sandbox for production systems, or development ment for production systems, you really want to avoid using the trunk! We will *very* soon be switching the trunk to requiring Python 2.1, and as you discovered, new features in the trunk will not be found in current releases. That's why we use this system.. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] CVS trunk vs 2.3 branch (Was: WebDAV locking module?)
On Fri, Apr 20, 2001 at 07:43:54AM +0200, Martijn Pieters wrote: So, the Zope 2.3 series has its own branch, called zope-2_3-branch. To check out from that branch, add '-d zope-2_3-branch' to your checkout command (I use the short 'co' for it): % cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository co -d zope-2_3-branch Zope2 Or you can switch an existing CVS sandbox to that tree by using the update command ('up' is the short version) in the root directory of the sandbox: % cvs -z7 up -d zope-2_3-branch Don't forget to recompile the extensions! Whoops, wrong switch to cvs in this email. The commands should be: % cvs -z7 -d :pserver:[EMAIL PROTECTED]:/cvs-repository co -r zope-2_3-branch Zope2 and % cvs -z7 up -r zope-2_3-branch -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [OT] Re: [Zope-dev] Introducing a New Concept on Advanced Garbage Treatment Process
On Fri, Apr 20, 2001 at 02:02:01PM -0700, Andy McKay wrote: Introducing a new concept on advanced garbage treatment process, and licensing patents For details, please reference the web site: The patent is flawed obviously since it doesn't garbage collect itself... Shows you how we geeks think... The patent did not have anything to do with Zope or Python at all. It didn't even have anything to do with computers, unless you were about to dump your old 486 on the scapheap.. I reported the email to spamcop, to be garbage collected. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug in Zope VersionControl
On Thu, Jun 07, 2001 at 08:30:26PM +0200, Christian Theune wrote: Okay ... I admit using opera and enjoying it. Problem is, that opera is sooo standardsconform. See Zope/lib/python/Products/OFSP/Version.py:175 in function enter() Somebody thats the path for the cookie as SCRIPT_NAME. This seems that the scope of the versions should be limited to the subtree where the version object was instanciated. Nice idea. But this doesn't work. First: Internet Explorer and Netscape ignore the path of the cookie and assume '/'. Second: Opera is conform to the rfc of http 1.1, and this means, that the cookie is only valid for the version itself, and is not used in any place out of http://myzope:8080/blaah/myVersion Proposed solution: Change the path to '/'. And have the same behaviour on all browsers. Or: Change the path to REQUEST[URL1] (is this the parent folder?) and have the intended mechanism working at least on opera. The last is my personal favorite, because you can have different versions concurrently open on different projects @ one server. Proposed patch for both solutions comes as attachement. REQUEST['SCRIPT_NAME'] is the root of the Zope server. In a pure ZServer environment, this is '/'. In a situation where the Zope server is running behind another webserver, and is not at the root of that server, SCRIPT_NAME represents the path to the Zope server. For instance, if your Zope server is presented to the outside world as 'http://a.server.com/a/path/to/zope/' then SCRIPT_NAME will be '/a/path/to/zope/', whereever you are in the Zope object hierarchy. Thus, a version cookie is bound to the root of the Zope server. In your case, it seems that Opera is ignoring the cookie path altogether, and instead falls back on the default, which is the path of the Version object itself. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[mj@digicool.com: Re: [Zope-dev] Bug in Zope VersionControl]
(Could we please keep the list in the loop for both wider discussion and archiving?) On Fri, Jun 08, 2001 at 01:43:29PM +0200, Christian Theune wrote: REQUEST['SCRIPT_NAME'] is the root of the Zope server. In a pure ZServer environment, this is '/'. In a situation where the Zope server is running behind another webserver, and is not at the root of that server, SCRIPT_NAME represents the path to the Zope server. For instance, if your Zope server is presented to the outside world as 'http://a.server.com/a/path/to/zope/' then SCRIPT_NAME will be '/a/path/to/zope/', whereever you are in the Zope object hierarchy. Thus, a version cookie is bound to the root of the Zope server. In your case, it seems that Opera is ignoring the cookie path altogether, and instead falls back on the default, which is the path of the Version object itself. Okay. I have something for you. The REQUEST['SCRIPT_NAME'] is '' on my server. Could it be that - if zope is on the root - it SHOULD be '/' but is ''? You are correct, SCRIPT_NAME is indeed '' in ZServer situations. However, see below. Then per RFC it should be the location of the request (in this case http://localhost:8080/asdf, where asdf is the version). The RFC is silent about this. Note that there are two specifications that may apply. One is the original Netscape specification, the other is RFC 2109: http://www.netscape.com/newsref/std/cookie_spec.html http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2109.html There is also a RFC2965 which defines a new 'Set-Cookie2' header with a new syntax. Neither RFC 2109 nor the Netscape spec specify what happens when a 'path=;' cookie is sent, they only specify what happens if the path attribute is absent. The fact that we set an empty path attribute is thus confusing and we should avoid this. IE and Netscape poorely ignore the path, but Opera restricts the cookie to the location of the Version. IE and Netscape have decided that in that case the server must have ment to say 'path=/;', while Opera chooses to interpret it the same way as an omitted path attribute. Probably you want to check: if REQUEST['SCRIPT_NAME']=='': REQUEST['SCRIPT_NAME']='/' wherever this variable is created ... ??? I think we want to use: RESPOSE.setCookie( path=(REQUEST['SCRIPT_NAME'] or '/')) Could you file a bug in the Bug Collector at: http://classic.zope.org:8080/Collector Thanks! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug in Zope VersionControl
On Fri, Jun 08, 2001 at 02:17:06PM +0200, Christian Theune wrote: yes. we are right. Opera only sends the cookie in the version, but i couldn't figure out, what zope is sending (using the tcpwatch proxy). so i don't know what zope returns ... the should be a line == Cookie: ... or something I think, but there isn't. As soon as you press the 'join' button, Zope will send a 'Set-Cookie' header. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug in Zope VersionControl
On Fri, Jun 08, 2001 at 09:36:53AM -0400, Evan Simpson wrote: From: Martijn Pieters [EMAIL PROTECTED] REQUEST['SCRIPT_NAME'] is the root of the Zope server. In a pure ZServer environment, this is '/'. In a situation where the Zope server is running behind another webserver, and is not at the root of that server, SCRIPT_NAME represents the path to the Zope server. SCRIPT_NAME is not reliable in the presence of virtual hosting. Use REQUEST['BASEPATH1'] instead. When we fix this problem, we indeed should use BASEPATH1. BASEPATH1 is also empty when in a ZServer-only situation, so we should still use path=(REQUEST['BASEPATH1'] or '/'). -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Bug in Zope VersionControl
On Fri, Jun 08, 2001 at 09:42:00AM -0400, Andreas Jung wrote: On Fri, Jun 08, 2001 at 09:36:53AM -0400, Evan Simpson wrote: From: Martijn Pieters [EMAIL PROTECTED] REQUEST['SCRIPT_NAME'] is the root of the Zope server. In a pure ZServer environment, this is '/'. In a situation where the Zope server is running behind another webserver, and is not at the root of that server, SCRIPT_NAME represents the path to the Zope server. SCRIPT_NAME is not reliable in the presence of virtual hosting. Use REQUEST['BASEPATH1'] instead. When we fix this problem, we indeed should use BASEPATH1. BASEPATH1 is also empty when in a ZServer-only situation, so we should still use path=(REQUEST['BASEPATH1'] or '/') The fix is now in the 2.4 trunk. Note that there are 3 bugs open on this, 2291 (which you set to Forgotten'?), 2225 and 2234. Also, you'll have to hunt out all usage of path=REQUEST['SCRIPT_NAME'], not just the one that you fixed. There is at least one other in Version.py, and there may be more. I think you should search for setCookie. And last, this should also go in the 2.3 branch I think. It is a small enough bugfix, and some people will be reluctant to switch to 2.4.x just yet. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Proposed proposals: password encryption, ZODB RAM
On Mon, Jun 18, 2001 at 12:28:54PM -0400, Shane Hathaway wrote: 1) Optional password encryption. Right now passwords are stored as clear text. What's interesting is that Zope can already authenticate against SHA encrypted passwords, it just won't encrypt user passwords unless you force it to. As a test of Zope's ability to authenticate against encrypted passwords, I sneakily implemented the inituser changes with SHA encryption by default. That means that the password for the initial user stored in the database is not possible to decrypt and yet nobody has had any problems with it AFAIK. Since it has been successful, I'd like to suggest we add a checkbox to basic user folders that enables encryption for new passwords, and have it turned on by default. The risk is incompatibility with HTTP digest auth, which I imagine nobody is using right now. There is already a proposal for this: http://dev.zope.org/Wikis/DevSite/Proposals/EncryptedUserfolderPasswords You could, of course, create a counter proposal.. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: ZPL and GPL licensing issues
On Fri, Jun 22, 2001 at 01:16:04PM -0400, Shane Hathaway wrote: I think you're right. The reaction to the Python license becoming GPL compatible wasn't as enthusiastic as I expected, though. Are you talking about the reactions on Slashdot.org? The reactions there were exactly as to be expected; uninformed and unintelligent. And those are the posts that get score 3 and up, I never read Slashdot posts below that. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] New: Cross Site Scripting vulnerability
Example: http://www.zope.org/Documentation/SCRIPTalert(document.domain)/SCRIPT http://www.zope.org/lalalalalSCRIPTalert(document.domain)/SCRIPT http://www.zope.org/SCRIPTalert(document.cookie)/SCRIPT For example, an attacker might post a message like Hello message board. This is a message. SCRIPTmalicious code/SCRIPT This is the end of my message. When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include SCRIPT, OBJECT, APPLET, and EMBED. First of all, I would appreciate it if you could send alleged security problems to us in private, and not advertise these on a public mailinglist. I know that you had posted your previous ;discovery' to us in private some time before you took it to the public lists, but the time given to us to craft a response to your email was by far too short. One week would have been the absolute minumum! Secondly, could you in future also describe the exact problem in more detail? I assume that you mean a malicious third party could in theory abuse our server to create a page with malicious client-side code by crafting a message on a message board or in an email, right? Your manner of posting could suggest to others that the vulnerability lies with Zope itself, not with browsers allowing malcious code via a generated web page. Third, the 'classic.zope.org' link on the Zope.org error page has long been overdue for removal, especially since classic is now down. I have removed the auto-generated link to it. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] compiling Zope 2.4.1 on Mac OS 10.1
On Wed, Oct 03, 2001 at 12:44:11AM -0400, Mitchell L Model wrote: False alarm for Python2.2a4. It does work It seems I was either hallucinating or had screwed something up. After discussions with Guido, after which I understood a lot better what was supposed to be happening and why, I started over, and this time it worked. With the updates for OS 10.1 in Python 2.2a4, all I had to do to make both Python and Zope was: cd Python2.2a4 configure --with-suffix=.exe make sudo make install cd Zope python wo_pcgi.py That's all. Just that one configure flag, and no global variables set. Very, very nice. What a delight to have a just released MacOS treated with respect by multi-platform software! Note that we have just identified some Zope tests that fail when running under Python 2.2, but not under 2.1. We are still investigating as to what causes this. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Install doesn't start properly
Please keep the mailing lists in the loop. I do not control the Zope source, and others may have an opinion as well. I am CC-ing Zope-Dev on this as this discussion is more appropriate there. On Mon, Oct 22, 2001 at 01:12:33PM -0400, Behrens Matt - Grand Rapids wrote: The above URL confuses running as nobody and having the files owned by nobody. It is not terribly clear, and it reflects a shallower understanding of the problem that I used to have. So I dragged out a bindist, untarred it as root, and performed a few experiments, see below. Files should be owned by root (which it would do if installed as root) and you can run as nobody, provided that nobody has permission to write to the var directory. First, actually, untarring as root sets the ownership of a lot of the stuff in my solaris bindist to 506:100 (brian:users, it says in the listing.) Default behaviour when using tar as root; it'll preserve the UID and GID of the person that created the tar. When I first went on my nobody crusade I was under the assumption that nobody needed to be able to rw Data.fs as well. That should probably be clarified when advice is given to make var nobody-writable. I'm guessing there are more than a few people who take make var nobody-writable as requiring that files inside it also are nobody-writable. Maybe this is not anyone's responsibility but I don't want to give someone who doesn't know any better incomplete advice. In any event, the drop-to-nobody setup is still not perfect, though. Here are a few examples I just tested now: 1. nobody can change Z2.pid since it owns it; this can be used to trick root into killing an arbitrary process. Solution: Z2.pid should be written before the setuid call. Agreed. 2. nobody can arbitrarily destroy and replace any file in var, still leaving the possibility open for mischief. Writable directories mean you can rename, remove, etc. Solution: The sticky bit could get around this. I don't see how? What is the point of having one writeble directory for the process and then make it unwritable? The point of the var directory is to have only one place where the server process can do all its writing (which it needs to be able to do in order to operate). Note that if you feel uncomfortable with the user 'nobody', you can also dictate that Zope switches to another UID. On Debian www-data is used, for example. 3. Packing doesn't work unless nobody can read Data.fs. Letting nobody read Data.fs nullifies most of the security we gained. If we do let nobody read Data.fs, then when packing is performed we end up with a nobody-owned Data.fs. Nobody will have to be able to read Data.fs, otherwise the whole Zope process wouldn't work! Same for writing. The only way around this is having a separate server process control the writing (ZEO), or not run as root (and have another process like Apache provide port 80). 4. Anything else that uses var, such as gadfly, ends up nobody-owned. I don't see any programmatic way around this. Putting sensitive data in gadfly is downright silly IMO, but in a general-use platform, I don't control what people do. Default to secure, if the end-user overrides our security, it's their fault if something is compromised. I think we make it pretty clear that Gadfly is for demo purposes only, and it isn't useful for any critical data for many more reasons. Not really nobody-related but still of note: with the default UNIX umask, new files (i.e. packed Data.fs) are created with read permissions for group and other. I don't see a recommendation to set umask 077 anywhere but I may just be missing it. I don't think there will be any problems with this. I know I'm being a pain in the arse, but this stuff is pretty important, I think. I'd like to get it fixed up, and I'm happy to help with code or doc changes or whatever, as well as keeping the specifics under wraps until a fix is committed. In the meantime I think it's still best and will keep recommending that people run their installs as dedicated users. The best way of having things changed you care about, is to submit patches and bug reports, especially if they are this detailed. Unfortunately, the bug collector is down right now (Ken Manheimer is working very hard on a replacement), but any suggestions are certainly still welcome, preferably to the mailinglists. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Open Letters and Zope 3
On Tue, Dec 04, 2001 at 10:37:55PM +0900, Joseph Wayne Norton wrote: p.s. It is my own personal taste but I don't really care for the tkgui interface for running the zope test suite. Any possibilites of making the test suite run in a fashion similar to the python installation test suite? You can just use the standard unittest module to run a text version of the tests. On my machine, unittest.py is executable, and I just type: PYTHONPATH=./lib/python /usr/lib/python2.2/unittest.py Zope.Testing.allZopeTests This is all one line, in bash. In csh, you'll have to set the PYTHONPATH env var by hand beforehand, I believe. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] disabling gc does not necessarily hide memory corruption
On Wed, Dec 19, 2001 at 05:24:58PM -0200, Leonardo Rochael Almeida wrote: On Wed, 2001-12-19 at 13:34, Chris McDonough wrote: It would be good if someone who is experiencing random crashes could confirm that the the new compiler package fixes their problem. I might risk losing a few more points with my sysadmin to test it (Hi daniduc :-) if there was an easily downloadable package with clear instructions on how to apply it to Zope 2.4.3 (I don't feel like messing with CVS for this), and if you tell me that it won't corrupt my Data.fs or anything :-) You can download files from CVS as a tarball. Just go to http://cvs.zope.org/Zope/lib/python/RestrictedPython and use the link at the bottom. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PDF-specific Bug in the ZServer implementation??? Or just strange behavoiur of IE?
On Mon, Jan 07, 2002 at 09:56:40PM +0100, Joachim Werner wrote: This was a really quick response! Thanks a lot. Just one additional question: What is the best approach to upgrading to the new code? Replacing the ZServer code by the CVS one? Is the patch in the latest 2.5 beta, too? Yes, the changes are in 2.5.0b3 as well (check the CHANGES.txt file when in doubt :)). -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PDF-specific Bug in the ZServer implementation??? Or just strange behavoiur of IE?
On Mon, Jan 07, 2002 at 09:56:40PM +0100, Joachim Werner wrote: What is the best approach to upgrading to the new code? Replacing the ZServer code by the CVS one? The code only applies to OFS/Image.py (only File and Image objects support HTTP Range) and ZPublisher/HTTPRangeSupport.py. I've attached the versions for a Zope 2.4.x installation, just drop them in the correct places in your current Zope setup. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ## # # Zope Public License (ZPL) Version 1.0 # - # # Copyright (c) Digital Creations. All rights reserved. # # This license has been certified as Open Source(tm). # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are # met: # # 1. Redistributions in source code must retain the above copyright #notice, this list of conditions, and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright #notice, this list of conditions, and the following disclaimer in #the documentation and/or other materials provided with the #distribution. # # 3. Digital Creations requests that attribution be given to Zope #in any manner possible. Zope includes a Powered by Zope #button that is installed by default. While it is not a license #violation to remove this button, it is requested that the #attribution remain. A significant investment has been put #into Zope, and this effort will continue if the Zope community #continues to grow. This is one way to assure that growth. # # 4. All advertising materials and documentation mentioning #features derived from or use of this software must display #the following acknowledgement: # # This product includes software developed by Digital Creations # for use in the Z Object Publishing Environment # (http://www.zope.org/). # #In the event that the product being advertised includes an #intact Zope distribution (with copyright and license included) #then this clause is waived. # # 5. Names associated with Zope or Digital Creations must not be used to #endorse or promote products derived from this software without #prior written permission from Digital Creations. # # 6. Modified redistributions of any form whatsoever must retain #the following acknowledgment: # # This product includes software developed by Digital Creations # for use in the Z Object Publishing Environment # (http://www.zope.org/). # #Intact (re-)distributions of any official Zope release do not #require an external acknowledgement. # # 7. Modifications are encouraged but must be packaged separately as #patches to official Zope releases. Distributions that do not #clearly separate the patches from the original work must be clearly #labeled as unofficial distributions. Modifications which do not #carry the name Zope may be packaged in any form, as long as they #conform to all of the clauses above. # # # Disclaimer # # THIS SOFTWARE IS PROVIDED BY DIGITAL CREATIONS ``AS IS'' AND ANY # EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DIGITAL CREATIONS OR ITS # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF # USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND # ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT # OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # # This software consists of contributions made by Digital Creations and # many individuals on behalf of Digital Creations. Specific # attributions are listed in the accompanying credits file. # ## Image object __version__='$Revision: 1.130.4.2 $'[11:-2] import Globals, string, struct from OFS.content_types import guess_content_type from Globals import DTMLFile from PropertyManager import PropertyManager from AccessControl.Role import RoleManager from webdav.common import rfc1123_date from webdav.Lockable import ResourceLockedError from webdav.WriteLockInterface import WriteLockInterface from SimpleItem import Item_w__name__ from cStringIO import StringIO from Globals import Persistent from Acquisition import Implicit from DateTime import DateTime from Cache import Cacheable
Re: [Zope-dev] [BUG] Python 2.1.2 Zope 2.4.1
On Mon, Jan 28, 2002 at 10:32:11AM -0500, Paul Everitt wrote: All in all, only a few days separate the two releases, and obviously CVS people have been able to get at changes all along. Thus, I don't think this is an extreme case. Also note that downloading a source release from CVS is very very very easy. Just use the following link: http://cvs.zope.org/Zope/Zope.tar.gz?tarball=1only_with_tag=Zope-2_4-branch This will get you a tarball with a CVS export of the current 2.4.x branch, which will contain *exactly* the same contents as the Ssource release we'll make as soon as the windows problem is resolved. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Defining Interfaces
On Tue, Jan 29, 2002 at 07:47:46PM +, Florent Guillaume wrote: When I define an Interface, are the methods of the interface supposed to have self as the first argument? No. But this does preclude automatic validation of the contract using python inheritance from the Interface, doesn't it ? Or will there be another way ? No, the validation methods take into account that class members of an implementation will have a self-referential first argument. Detecting if an implementation is a class is trivial. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [Zope] isecure XML-RPC handling.
On Tue, Apr 02, 2002 at 04:01:41PM -0500, Eron Lloyd wrote: On that thought, I'd like to see Zope.org become much more modern, and reflect the *latest* and *greatest* functionality of Zope. Deprecation of the hybrid PTK that's used, as well as updating and polishing of the site regularly. In fact, I'd like to see more of a portal feel to it, that's both personalized and customized to my needs. For instance, log into my account, download 2.5.1b1, come back a week later and here's a big notice that beta2 is available for *my* setup. Also, can we see some Web services? Imagine, in the management interface, and visiting the Control Panel. There is an Update tab, which when loaded queries zope.org with the XML-RPC method zope.webservices.getUpdates(my_install), which passes in my server's version, installed products, etc. and lists updates, hotfixes, and other notices. With the flexibility and dynamic runtime nature of Python, i wonder how hard it would be to update a running server. Head over to [EMAIL PROTECTED] and help out then; the effort to build a new zope.org is already well under way. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: [OT] digital signature
On Thu, Apr 25, 2002 at 06:02:19PM +0200, Lennart Regebro wrote: I want a *good* mail program. :-/ I can recommend Mutt. ;) -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ?determine if x is a string or array in PythonScript
On Thu, Jul 11, 2002 at 05:22:48PM +0800, Tim Hoffman wrote: I must be stupid or something, but I can't for the life of me work out a simple way of determining if a variable contains a string or array, in a PythonScript in Zope. I can't import type and or use type() function. isinstance doesn't work because I can't give a type as the second arg. I obviously just can't see the wood for the trees, can anyone help out this silly individual ? Testing for string methods works :) if hasattr(item, 'startswith'): # A String else: # Something else On a similar note you can test for a specific list method. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ?determine if x is a string or array in PythonScript
On Thu, Jul 11, 2002 at 04:10:33PM -0400, Shane Hathaway wrote: Python scripts provide a special function, same_type(), for this purpose. Example: if same_type(s, ''): s = [s] Much better than my hacked-up solution. :p -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] DTML and REQUEST data changes about to be checked in
Hi folks, I am about to land some big changes in the way DTML deals with data taken from the REQUEST object when accessed implicitly, in both the Zope Trunk and the Zope 2.5 branch. These changes could potentially break existing Zope sites. Without these changes, Zope is somewhat vulnerable to cross-scripting attacks, where a well-crafted URL can cause a Zope server to serve out arbitrary HTML. Because DTML does not automatically html quote any data, and can implicitly get information out of the REQUEST even when it was not the intention of the template author, it is easy to cause REQUEST data to be rendered as HTML on a page. My changes cause the REQUEST to keep track of suspected strings, where suspect is defined as any string with a ''. These are marked as tainted. Any normal, explicit access to the REQUEST will still give you normal values. However, as soon as a DTML template requests a variable from the general namespace, and this variable is then satisfied from the REQUEST, the value of this variable could potentially be a TaintedString object instead of the original string. When rendering such a value, DTML will automatically HTML quote it if not already done so explicitly. All DTML string operations dealing with TaintedString objects are careful to retain the TaintedString status. I also fixed all exceptions raised in Zope that I could find, where untrusted REQUEST data was used in the exception message; these exceptions now html quote the data. I also made sure that the REQUEST calculated variables URLx and BASEx and such were not shadowed by untrusted form variables of the same name. These changes can break existing sites in the following ways: - If you relied on getting HTML-like data from the REQUEST in DTML and want to render this as HTML, and you got this data implicitly, this data will now be HTML quoted. Note that you were vulnerable to a cross-scripting attack here already. You can retrieve your information from the REQUEST directly (with dtml-with REQUEST for example), at your own risk. ;) - HTML quoting will also take place in templates that do not otherwise generate HTML to be sent back to the browser, such as email forms and Z SQL Methods. For Z SQL Methods, dtml-sqlvar does not quote TaintedStrings and is otherwise ignorant of them. For emails, use explicit access to REQUEST instead. - If you relied on being able to override URLx or BASEx variables through a form variable, this no longer works. Use explicit access to REQUEST.form instead. - Using the string method .join (''join(items)) cannot handle TaintedString objects. You can use _.string.join instead. - Passing a TaintedString value from a DTML template to other objects such as Python code, External Methods, Python Scripts, etc, may cause them to break because they did not anticipate a TaintedString object. What doesn't break (among others): - Accessing REQUEST data from Python code, Python scripts, or ZPT. Only DocumentTemplate.DT_String derivatives (DTML Document, DTML Method, etc) and DTMLFile objects are affected. - If you already HTML quoted, nothing gets double quoted. - Using the _.string module in DTML retains taints. - Zope 2.6 unicode marshalling (var:ustring:utf8) works with TaintedStrings as well. TaintedString objects try to mimic strings as best as they can, but until we move to python 2.2 definitely and we can inherit from str directly, certain python code will not accept TaintedString objects as substitutes. I found that the normal string module, and the string ''.join module don't accept TaintedString objects for example. Also, using the string interpolation operator % will cause TaintedString objects to be unwrapped. When TaintedString becomes a subclass of str, more operations will unwrap them, such as unicode() and ''.join; or just about any operation that manipulates strings through other ways than string methods. Because of size of the change and the impact on existing DTML code, well release betas of Zope 2.5 and 2.6 soon to facilitate wider testing. For those following CVS, please test the changes rigorously and let me know what you find. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: DTML and REQUEST data changes about to be checked in
On Thu, Aug 01, 2002 at 10:46:44AM -0400, Martijn Pieters wrote: I am about to land some big changes in the way DTML deals with data taken from the REQUEST object when accessed implicitly, in both the Zope Trunk and the Zope 2.5 branch. These changes could potentially break existing Zope sites. It's in. Let the testing begin! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: DTML and REQUEST data changes about to be checked in
On Thu, Aug 01, 2002 at 10:29:36AM -0600, Jeffrey P Shell wrote: Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a small worry that old code on small sites that we don't have much worry about will break if this is put into a 2.5.2 or later release. Could there be a way to disable this feature in 2.5 via a z2/environment variable or some other configuration setting, but have it be automatic in 2.6? Potential code breakage and point point release leave me a little worried about maintaining 2.5 sites. It may not be an issue - I have to digest the changes in more depth that I've had (or currently have) time for, but that's the thought that crossed my mind earlier. From a technical standpoint I can indeed add a switch that would disable the occurence of tainted strings, yes. I'll discuss this with Brian, it shouldn't be hard to add. But note that breakage only occurs when REQUEST data actually contains possibly dangerous markup, and your site was vulnerable in those areas that now break. Disabeling the tainting will leave you vulnerable. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote: Likewise Im trying to digest all that and Im a little suprised. More magic in DTML? Not something I'd vote for normally. Im a little confused why this is suddenly an issue, yeah so we pull a string out of the REQUEST and thanks to DTML stack we may not know where it came from. Well thats always been there. And yeah the string may contain nasty HTML. Again that's always been there. In the past (and I cant find posts to show it) the party line was Zope is an application server and its up to the person developing the application to worry about it. Thats why ChrisW wrote stripogram and I use it in quite a few apps. Yup. And that is still the case. However, the combination of implict REQUEST form interpolation and no HTML quoting turns out to especially dangerous, because of those situations where you *want* no HTML quoting for optional information that normally should *not* come from the REQUEST. An example is the Zope help system; there are API help pages that have optional information, which when present is already HTML. But when not present in the object hierarchy, but it *is* available in the REQUEST, the REQUEST data is used instead. The way standard_error_message deals with exceptions is another such a situation. The DTML author didn't expect the particular template slot to be filled with REQUEST data, the slot is optional, and the author has no way of preventing REQUEST data from being used. The solution we choose fixes that problem, for all existing DTML as well as future DTML. Note that ZPT does not have this problem, as it quotes by default and doesn't use implict namespaces. One other question? Why does it matter that the string is implicitly called, why dont you taint explicitly called to? It makes me think of Perl where taint mode taints anything coming from the user? Because, as explained above, its the implicit case that is dangerous. In the explicit case you are supposed to know you are working with unsafe data and thus the old rules apply. If we explicitly quoted, we hurt everyone that either did the right thing from the start and/or already knows they are playing with fire. This still doesnt solve the party line and means I would like to suggest again (and this time I have the time to work on it) that we add something like stripogram or similar to the core, so that is easy for an application developer to have access to strip html and other functions from products, DTML, Python Scripts etc to easily alter, manage and make HTML safer. The CMF now includes a basic HTML stripper. In future iterations, Tres Seaver expects this to evolve into a CMF Tool that is more generaly configurable and useable. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote: I am about to land some big changes in the way DTML deals with data taken from the REQUEST object when accessed implicitly, in both the Zope Trunk and the Zope 2.5 branch. In my opinion this change is completely unacceptable at this late stage of the release cycle. As you said: These changes could potentially break existing Zope sites. The existing behavior might be flawed, but it is a flaw we have all lived with for a long time. In my opinion this needs: 1. To be deferred until the 2.7 cycle. 2. A detailed fishbowl proposal. Note that the problems fixed are potential security problems. Although we cannot fix every site out there for sure, the fixes certainly dramatically reduce the risks. The risk for breakage is very small really, and breakage will generally only occur when someone is trying to exploit the weakness, not in normal operation of the site. I'll leave any decisions on wether or not this stays in the current release cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation until next week. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote: The risk for breakage is very small really Your choice of '' and html_quote suggests that my dtml code which generates javascript and vbscript carries a higher risk than dtml which generates html. Only if you generated that script using data from the REQUEST, implicitly. Which was bad in the first place. , and breakage will generally only occur when someone is trying to exploit the weakness, not in normal operation of the site. The fact that your change uses html_quote to 'fix' the problem rather than sounding 'hacker alert' alarm bells suggests to me that you dont really believe that ;-) Again, the wide scope of DTML use would make such bells warble prematurely all too often. The normal, recommended fix for the general weakness is to always use HTML quote. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote: On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote: Whithout the fix, virtually every Zope site in the world is vulnerable to URL-based cross-site scripting exploits. For instance, any URL which contains invalid form variable marshalling can generate an error page which includes the erroneous value, unquoted. E.g.: URL:http://somezopesite.com/looks/like/legitimate?foo:int=%3Cscript%3Ealer t('Owned')%3C/script%3E Do you plan to fix this bug? Or, with the autoquoting changes, is this to be reclassified as 'not a bug'? Together with the autoquoting changes, I tightened Exception messages; data from REQUEST is quoted where I could reasonably suspect REQUEST data was used. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: pdf - Files not viewable
On Mon, Aug 19, 2002 at 10:17:00AM +0200, Markus Stoll wrote: The acrobat plugin is definitely unhappy with these sorted ranges that Zope uses for creating the response. Acrobat expects the ranges in the very same order it has requested them. Sorry, further reading on my part. What Acrobat reader version, Browser version and Zope version? *Not* sorting the ranges causes considerable performance loss on the Zope server. I have tested Acrobat reader version 5 on Mozilla (0.9 and up), Netscape 4.7 and Internet Explorer 5.5 and up with this and all combinations work with the current code. There was a bug in the way ranges that touch upon each other (no overlap, just no seam) were optimized away, and the way Netscape 4.7 uses a draft version of the spec instead of the released version. These have been fixed. As the spec does not prohibit sorting, and perfomance loss is fenomenal on large files, I would need considerable justification for not using sorted ranges. If you use Zope 2.4, then you are probably experiencing one of the above mentioned bugs. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-Coders] Re: [Zope-dev] DTML and REQUEST data changes about to be checked in
On Wed, Aug 14, 2002 at 04:25:09PM -0400, Brian Lloyd wrote: So here's what we'll do. Zope 2.6 will include the string tainting changes, enabled by default. The tainting can be turned off by providing an environment variable. The next Zope 2.5.x release will contain the tainting code, but it will be *disabled* by default. If you are worried about the issues it addresses, you will be able to enable it explicitly using an environment variable (without having to upgrade to 2.6). I checked in the changes for 2.5; auto quoating now has to be enabled with an environment variable. Higly recommended! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: Unsecure design of ExternalFile
On Thu, Nov 07, 2002 at 11:24:35AM -0500, Craeg K Strong wrote: What would you recommend? Perhaps there should be a predefined list of forbidden directories for ExternalFiles? The problem is that-- in the development scenario-- the very things you mention below might be what you legitimately *want* to do as a developer. 'Jail' the base directory. Files can only be referenced within the jail. Relative paths outside the jail are forbidden. This is what FTP and web servers do, and so should ExternalFiles. A full path (starting with a '/') then starts at the base directory. The base directory should not be configurable through the web. Rather, use an environment variable. Only one directory is needed, as files that need to be accessible can be copied or symlinked. -- Martijn Pieters | Software Engineer mailto:mj;zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: online ordering without a prescription
Sorry for the spam that snuck through; we had memory problems on the mail server and the spam handling facilities were temporarily off-line. -- Martijn Pieters | Software Engineer mailto:mj;zope.com | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] cvs.zope.org broken
On Wed, Dec 18, 2002 at 11:57:33AM +0100, Godefroid Chapelle wrote: Does someone knows what happens with cvs.zope.org which is currently broken My bad, typical Murphy's Law where a last-minute cosmetic change breaks everything and a browser cache prevented me from seeing my mistake. All late at night of course. Mea Culpa! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] cvs.zope.org upgraded
cvs.zope.org now runs on ViewCVS 0.9.2, and I enabled CVSGraph (watch out, big images!) and database query support. Head on over and play around with the new look and features! -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope anonymous CVS temporarily offline
Hi all, Due to the CVS vulnerabilities disclosed today, we have temporarily shut down anonymous CVS access to cvs.zope.org through pserver. We'll reenable this when we have upgraded CVS on the server. People with write access through SSH and the web interface at http://cvs.zope.org are still available. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] How (in)secure is Zope?
On Thu, Mar 13, 2003 at 06:11:32PM +0100, Florent Guillaume wrote: In article [EMAIL PROTECTED] you write: - Cross-scripting issues: I guess that some of those are still in the Zope Management Interface (which is not meant to be used by untrusted users in most cases), but Zope offers a lot of tools to make sure that it is hard to post malicious code in forums, attack Zope via URLs etc. I've worked had to remove all those in the DTML code. I've not audited the rest of the python code that generates HTML directly (code that should be taken out and shot), but I think there are patches for those in the collector. And Florent's patches came on top of my DTML pro-active anti-HTML-from- REQUEST-sourced-data changes that cause all outside strings to be HTML quoted if they could *possibly* be used to construct HTML tags. Some of my changes included taking out some of the directly-HTML-generating python code to be shot without trial. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] weak examples, weak exploits
On Mon, Jun 23, 2003 at 10:33:42AM -0400, Casey Duncan wrote: I would be in favor of making the Examples opt-in like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. Moreover, the examples installed everywhere attract spam to [EMAIL PROTECTED] (forwarded to [EMAIL PROTECTED]). I have seen numerous 'increase website traffic' spams explicitly mentioning /Examples URLs around the net. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Mailinglists
On Mon, Aug 04, 2003 at 09:17:37AM +0200, Christian Theune wrote: something went wrong on all zope.org mailinglists recently. I discovered that the sender adresses aren't zope.org anymoure but python.org. This crashes my mailinglist filters as they are using the List-Id field that isn't supposed to change. Is this temporarily due to zope.org update or will it remain in this state? A temproary glitch. Barry Warsaw switched the majority of lists at python.org and zope.org over to a new version of Mailman and the sender domain name for the Zope.org lists got reset to python.org. I fixed all lists this morning. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.python.org/mailman/listinfo/zope-announce http://mail.python.org/mailman/listinfo/zope )
Re: [Zope-dev] Mailinglists
On Mon, Aug 04, 2003 at 02:22:26AM -0700, Jamie Heilman wrote: dunno anything about it, but I just thought I'd note that whatever happened it seems to have disappeared a good number of the list archives formerly hosted at http://mail.zope.org/ as well irritating The web listing of mailing lists still uses the old mailman version (see my reply to the original message). This will be switched over in due time showing the full list again. Sorry about the inconvenience. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.python.org/mailman/listinfo/zope-announce http://mail.python.org/mailman/listinfo/zope )
Re: [Zope-dev] Mailinglists
On Mon, Aug 04, 2003 at 04:28:29PM +0200, Jean Jordaan wrote: I fixed all lists this morning. Dunno if this is related, but they're still AWOL from http://mail.zope.org/mailman/listinfo .. (only shows 6 lists now). That is indeed related. The page only shows lists still running on the old mailman version. These lists will be migrated as well, and the page will be switched to show the new mailman version lists list (try saying that 20 times fast). -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.python.org/mailman/listinfo/zope-announce http://mail.python.org/mailman/listinfo/zope )
Re: [Zope-dev] xmlrpc to zope change?
On Tue, Aug 05, 2003 at 01:52:21PM -0500, Christopher N. Deckard wrote: After doing some testing with Zope 2.6.2b5, we discovered that a number of our scripts that do xmlrpc to Zope were not working. It turns out that the URI to use to connect to Zope will not work if you have /RPC2/ as was required before. Should I file a collector item on this? /RPC2/ was never requered before; that URI is a convention used by Frontier (the first server to implement XML-RPC) and possibly other XML-RPC implementations, but never by Zope. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ - ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] BTrees.Length conflict resolution
Did the conflict resolution code for BTrees.Length ever work? Because as it stands now the code will fail as it assumes that integers are passed in, instead of state dictionaries: def _p_resolveConflict(self, old, s1, s2): return s1 + s2 - old As there are no tests for this that I can see (the BTrees tests are kinda very dense), I am not too keen to go touch this, but I think this should read: def _p_resolveConflict(self, old, s1, s2): s1['value'] += s2['value'] - old['value'] return s1 Martijn Pieters, up to his armpits in conflict resolution code. signature.asc Description: OpenPGP digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: BTrees.Length conflict resolution
Tim Peters wrote: You haven't seen this fail, you're _deducing_ that it must fail, right? Deducing indeed... Don't overlook this other Length method: def __getstate__(self): return self.value That is, when a Length instance is asked for its state, it returns an integer. Similarly setting its state expects an integer: def __setstate__(self, v): self.value = v Dang. I knew I was missing something here. Thanks for putting me straight, Tim. Martijn, who has managed to extract himself from conflict resolution code today. signature.asc Description: OpenPGP digital signature ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: indexing multiple strings with ZCTextIndex broken in Zope 2.7.7
Martijn Faassen wrote: Can you reopen the issue? I've tried to log in to see whether I can, but it don't seem to log in properly into the tracker or something. Zope.org appears to cache collector issues very aggressively; use the 'View' action on the top right to get to a fresher version. A bug I responded to this afternoon still shows up in it's originally filed state on the default URL (ending in the issue number) Martijn Pieters ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: [Zope3-dev] Re: Speed win in Python's urllib.quote
Lennart Regebro wrote: How about: http://public-bertha.in.nuxeo.com/~ben/funkload/ Is this site ment to be public? The name doesn't resolve for me. Is the head from http://svn.nuxeo.org/trac/pub/browser/funkload/ sufficient? Martijn Pieters ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )