Re: [Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
> Chris McDonough writes: > > ... HelpSystem problems ... > > It then proceeds to do writes to the database when it > > appears that all you're doing is reading a > pre-existing page. > What does it write to the database? > I do not see a reason for this behaviour... I don't know. IMHO, there is no reason that the contents of the help system need to live in the ZODB at all. Can you think of any good reason other than searching? :-( - C ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
Chris McDonough writes: > ... HelpSystem problems ... > It then proceeds to do writes to the database when it > appears that all you're doing is reading a pre-existing page. What does it write to the database? I do not see a reason for this behaviour... Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
Note that I volunteered to rewrite the help system in the Zope 2.6 plan. Chris McDonough wrote: >> There is no way to fix this? What other problems are there with the >> help system? > > > Not that I can think of. Other problems with the help system are > presentation, mostly. > >> Would it somehow be possible to make the helpsystem ignore versions? > > > No, unfortunately. It uses the Catalog, which is based on ZODB, and it > puts a Catalog instance into the main FileStorage, which is undoing and > versioning. It then proceeds to do writes to the database when it > appears that all you're doing is reading a pre-existing page. If you're > in a version at the time, a set of objects will be written into the > Catalog and into other places in instance space that have version. This > is a bad pattern, and the only way to fix it is to prevent it from > happening, which requires some helpsystem architectural changes that > amount (IMHO) to a rewrite. > > - C > -- Chris McDonoughZope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones" ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
> There is no way to fix this? What other problems are there with the > help system? Not that I can think of. Other problems with the help system are presentation, mostly. > Would it somehow be possible to make the helpsystem ignore versions? No, unfortunately. It uses the Catalog, which is based on ZODB, and it puts a Catalog instance into the main FileStorage, which is undoing and versioning. It then proceeds to do writes to the database when it appears that all you're doing is reading a pre-existing page. If you're in a version at the time, a set of objects will be written into the Catalog and into other places in instance space that have version. This is a bad pattern, and the only way to fix it is to prevent it from happening, which requires some helpsystem architectural changes that amount (IMHO) to a rewrite. - C -- Chris McDonoughZope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones" ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
On Fri, Mar 08, 2002 at 09:24:05AM -0500, Chris McDonough wrote: > Bummer. :-( It really seems like the help system should just be > rewritten. The fact that it applies the dreaded "write on read" > pattern, uses persistent objects and the catalog to provide help has > been a thorn in our side for a while. I think we should just come up > with a much simpler help system that doesn't provide any sort of search > capability that reads the help files from disk rather than spend much > time fixing this problem. > There is no way to fix this? What other problems are there with the help system? Would it somehow be possible to make the helpsystem ignore versions? Ivo -- Drs. I.R. van der Wijk -=- Brouwersgracht 132 Amaze Internet Services V.O.F. 1013 HA Amsterdam, NL -=- Tel: +31-20-4688336 Linux/Web/Zope/SQL/MMBase Fax: +31-20-4688337 Network Solutions Web: http://www.amaze.nl/Consultancy Email: [EMAIL PROTECTED] -=- ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
Bummer. :-( It really seems like the help system should just be rewritten. The fact that it applies the dreaded "write on read" pattern, uses persistent objects and the catalog to provide help has been a thorn in our side for a while. I think we should just come up with a much simpler help system that doesn't provide any sort of search capability that reads the help files from disk rather than spend much time fixing this problem. Ivo van der Wijk wrote: > Hi, > > I'm sorry to repost my question here, but noone seems to be able to give > me any information on the standard Zope mailinlist. > > I still do, however, find the problem described below annoying, and it could > be even considered a security bug (somewhat), or at least a Help page DOS :) > > -- Chris McDonoughZope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones" ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Unauthorized users can writelock helpfiles in /Control_Panel/Products
Hi,
I'm sorry to repost my question here, but noone seems to be able to give
me any information on the standard Zope mailinlist.
I still do, however, find the problem described below annoying, and it could
be even considered a security bug (somewhat), or at least a Help page DOS :)
--
Hi all,
We run Freezope.org, a site where people can get their own folder with
Manager/Owner access. Of course, users should not be able to mess up
things outside their own folder. However, they can.
The problem seems to be with the helpfiles included with the installed
products. For some reason, these are sometimes/always changed (as in:
writable, modified) when accessed.
This often gives us (harmless?) log entries such as:
2002-03-06T03:48:56 INFO(0) Z2 CONFLICT Competing writes at, /HelpSys/menu
Traceback (innermost last):
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 171, in
publish
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/mapply.py, line 160, in
mapply
(Object: menu)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 112, in
call_object
(Object: menu)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Shared/DC/Scripts/Bindings.py, line
324, in __call__
(Object: menu)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Shared/DC/Scripts/Bindings.py, line
354, in _bindAndExec
(Object: menu)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/App/special_dtml.py, line 244, in
_exec
(Object: menu)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 159,
in render
(Object: a tree tag)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 269,
in tpRender
(Object: HelpSys)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 523,
in tpRenderTABLE
(Object: HelpSys)
(Info: (['Tm9uZQ==', []], {'childless_decoration': '', 'id': 'tpId', 'branches':
'tpValues', 'url': 'tpURL'}, (['Tm9uZQ==', []],), (['Tm9uZQ==', []],)))
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/TreeDisplay/TreeTag.py, line 323,
in tpRenderTABLE
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/HelpSys/HelpSys.py, line 228, in
tpValues
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/HelpSys/HelpSys.py, line 331, in
tpValues
(Object: Help)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/Connection.py, line 535, in
setstate
ConflictError: ("'\\x00\\x00\\x00\\x00\\x00\\x0f{\\xee'", '')
--- end of trace ---
However, if one of the freezope users creates a version, starts working
in this version, and then consults any of the help pages for the installed
products, this page will be write-locked, and unaccessible for all other
users.
When accessing the helppages, the following error appears:
Zope Error
Zope has encountered an error while publishing this resource.
Error Type: VersionLockError
Error Value: ("'\\x00\\x00\\x00\\x00\\x00\\x10&r'",
'/ZopeHosting/freezope/ivotest.freezope.org/myversion')
Troubleshooting Suggestions
* The URL may be incorrect.
* The parameters passed to this resource may be incorrect.
* A resource that this resource relies on may be encountering an error.
For more detailed information about the error, please refer to the HTML source for
this page.
If the error persists please contact the site maintainer. Thank you for your patience.
Traceback (innermost last):
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 223, in
publish_module
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 187, in
publish
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Zope/__init__.py, line 226, in
zpublisher_exception_hook
(Object: Config.stx)
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZPublisher/Publish.py, line 175, in
publish
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/Zope/__init__.py, line 240, in
commit
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/Transaction.py, line 302, in
commit
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/Connection.py, line 420, in
commit
(Info: (('HelpSys.HelpTopic', 'STXTopic'), '\x00\x00\x00\x00\x00\x10&r', ''))
File /usr/local/zope/Zope-2.4.4b1-src/lib/python/ZODB/FileStorage.py, line 658, in
store
(Object: /usr/local/zope/zopesites/freezope/var/Data.fs)
VersionLockError: (see above)
--- end of trace ---
Could this be considered a bug? Why is this happening at all?
With regards,
Ivo
--
Drs. I.R. van der Wijk -=-
Brouwersgracht 132 Amaze Internet Services V.O.F.
1013 HA Amsterdam, NL -=-
Tel: +31-20-4688336 Linux/Web/Zope/SQL/MMBase
Fax: +31-20-4688337 Network Solutions
Web: http://www.amaze.nl/Consultancy
Email: [EMAIL PROTECTED] -=-
__
