Re: [Zope-dev] Tyring to FTP to Zope running behind firewall, get login box but no directory listing
At 17:52 23/04/2002 -0700, Jason Spisak wrote: >It would appear that their FTP implementation is not working >correctly, when connecting to a Zope FTP system behind a >firewall. > >Zope is running on port 8880 and ftp service works fine from >inside the firewall on port 8821. From outside the firewall, I >get a login prompt, enter my password, but then the directory >listing never materializes. Since I get the login prompt, it's >not a firewall packet issue. You cannot reach that conclusion without examining what the firewall is configured to do. That said I'm a little surprised that the incoming connection to port 8821 was allowed through the firewall unless some attempt has been made accommodate the Zope FTP server. >Is this a known issue? If anyone knows of any quick fixes for >this, I'm wide open for ideas. Allowing FTP through a firewall is a problem because of its need to use dynamically allocated high numbered ports (over 1024) for the data connections. This is true for both normal and passive mode FTP although the precise nature of the problem will depend on whether you are trying to allow clients inside to FTP out or clients outside to FTP in. A statefull firewall is often used as the solution to these problems. But if the firewall is not configured to expect external FTP clients initiating incoming control connections to the port you Zope FTP server is listening on, i.e 8821, then it may not make appropriate inspections of that control connection leading to the subsequent data connections being disallowed. Your description of the problem hints at this sort of problem. I'd talk to the maintainer of the firewall configuration as this is the most likely cause of the problem given that clients inside the firewall are able to use the Zope FTP server successfully. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Is there a Security problem with cookie authentication?
Someone out there might like to sanity check my thinking on a possible security hole that arises if some form of cookie authentication, the CookieCrumbler for instance, is used with Zope. The scenario of concern is when cookie authentication is being used and Zope is accessed by a browser via a caching HTTP proxy server such as Squid, hardly an uncommon situation these days. I believe that transparent proxy servers are quite extensively used at the internet access points of ISPs. As the Squid FAQ says: The presence of Cookies headers in requests does not affect whether or not an HTTP reply can be cached. Similarly, the presence of Set-Cookie headers in replies does not affect whether the reply can be cached. It appears to me that if the Zope server fails to add a Cache-Control header with a value of private, no-cache or no-store to its responses, a caching proxy server is free to cache the response to an HTTP request. Hence the proxy server can again serve the response, purportedly protected by cookie based authentication, to any other requesting client WITHOUT consulting the Zope server. I could not identify any code in the CookieCrumbler to add a Cache-Control header with a value of private, no-cache or no-store to Zope responses. This problem should not occur when Zope uses the regular Basic Authentication scheme as per RFC2616: Note that section 14.8 normally prevents a shared cache from saving and returning a response to a previous request if that request included an Authorization header. Unless someone can refute this scenario (please, please do) then it appears to me that Cache-Control headers need to be added to all responses conditional on authentication by Zope using cookie authentication. Maybe Zope should just add a Cache-Control header with a value of private, no-cache or no-store to all responses that its security sub-system determines are to other than the Anonymous user. It would do no harm if Basic Authentication were being used and would plug the security hole I have posited if cookie authentication were in use. I'd propose a patch myself but I am not that confident in hacking around Zope's security management code. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Using other than NullResource to handle HTTP PUT
I'm developing, in python, some classes whose instances to be published by Zope, one of which is folder-like, i.e. is can contain instances. I want HTTP PUT requests which will create new object instances within instances of this folder-like class to be handled by a PUT function I define. I cannot identify the "right" way to do this, or at least a way which doesn't involve hacking the standard Zope code to have my PUT function handle the operation. The normal behaviour of Zope appears to be to create an instance of the NullResource class and call the PUT function on that. This then proceeds to create a DTMLDocument, Image or File instance which is not what I need to happen; I want to have instances of one of my own classes created instead. Any advice appreciated especially if I'm missing something obvious. btw am I alone in struggling to understand the python classes underlying Zope's operation and how these classes work/ineract? I've read a lot of source code but still feel I have only the vaguest grasp of the theory of operation of the whole thing. Ho hum. ---------- Richard Barrett, PostPoint 27, e-mail:[EMAIL PROTECTED] Fujitsu Telecommunications Europe Ltd, tel: (44) 121 717 6337 Solihull Parkway, Birmingham Business Park, B37 7YU, England "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the vote." Benjamin Franklin, 1759 -- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Problem acquiring via a newly created object
I'm stumbling to find a solution to the following problem. Using python I have created two classes which respectively derive from the standard Zope Folder class and DTMLDocument class. My classes (and some others yet to be written) are intended for use when requirements stipulate that published material must be held/protected in RCS as well as being served via Zope. I've elected to put an attribute called 'web_RCS_root' at the top of the Zope object hierarchy which contains the server local file system path under which files to be held by RCS. When instances of the Folder derived class are created, the add function creates a file system folder below the 'web_RCS_root'. The add function for my folderish objects effectively creates a directory hierachy in the file system isomorphic to the hierachy of the URL's being served by Zope. Instances of my DTMLDocument derived class are only allowed within my Folder derived class. The add document function that creates them and the edit function for them use RCS check-in to preserve copies of the document contents. I'm using the following python expression in the manage_addFolder and manage_addDocument functions to determine the location in the file system for the RCS backup of the data. rcspath = os.path.normpath(getattr(self, 'website_RCS_root') + \ '/' + self.absolute_url(1) + \ '/' + ob.id) As you can see it depends an acquiring the value of the 'website_RCS_root' attribute from its containment environment. This works fine for both folder-like and document-like classes if the add functions are called from the management interface. However, I want to create an instance of my document class within the containment of an instance of my folder class while creating that instance of my folder class. Just like creating a public interface (index_html) as part of creating a regular folder, which is what my code is based on. I'm doing this by calling my manage_addDocument function from within the my manage_addFolder function. But this fails with Zope reporting an AttributeError of the acquired attribute 'website_RCS_root'. My best guess as to why goes something like: "until the transaction in which the folder is created is committed, the acquisition of attributes higher in the containment hierarchy will fail. As you are trying to create the document in the same transaction this is bound to fail", but I've no proof this is the problem. What's going wrong and what's a good solution to the problem. I'm working with Zope 2.1.6 running under Suse 6.4 Linux on an x86 processor. -- Richard Barrett, PostPoint 27, e-mail:[EMAIL PROTECTED] Fujitsu Telecommunications Europe Ltd, tel: (44) 121 717 6337 Solihull Parkway, Birmingham Business Park, B37 7YU, England "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the vote." Benjamin Franklin, 1759 -- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )