w.zope.com
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf
> Of Oliver Bleutgen
> Sent: Tuesday, June 10, 2003 7:35 AM
> To: [EMAIL PROTECTED]
> Subject: Re: small summary and big plea was:(Re: [Zope-dev] Versions:
> should they die?)
>
Toby Dickenson wrote:
> No criticism was implied public exploits are valuable part of
> the security process.
Its nice to hear not everyone in the industry has lost their mind.
/me glances at redmond
--
Jamie Heilman http://audible.transient.net/~jamie/
"We must be born wit
On Tuesday 10 June 2003 09:32, Jamie Heilman wrote:
> Toby Dickenson wrote:
> > ! # Disable nasty insecure version support. Thanks to
> > ! # Jamie Heilman and everyone one zope-dev
>
> Unless you're damning me with faint praise for posting an exploit,
> (which is fine)
No criticis
Toby Dickenson wrote:
> ! # Disable nasty insecure version support. Thanks to
> ! # Jamie Heilman and everyone one zope-dev
Unless you're damning me with faint praise for posting an exploit,
(which is fine) this issue was found by Oliver, not me.
--
Jamie Heilman
On Friday 06 June 2003 21:28, Jamie Heilman wrote:
> Quick way to add 100 zodb connections and ~90M to the memory footprint
> with relatively little clue of who is responsible assuming traditional
> logging; presumeably one would get much trickier if they really wanted
> to obfuscate the source of
Oliver Bleutgen wrote:
> 2. Zope doesn't care if a correspondending Version instance to the value
> of REQUEST['Zope-Version'] exists, more exactly, zope doesn't care for
> the value of that Zope-Version variable at all.
Hmm, it doesn't care, but it does store it in memory. Pardon my fugly
non-
On Friday 06 June 2003 15:04, Shane Hathaway wrote:
> I think 2.6 ought to fix this by disabling recognition of the
> Zope-Version cookie
Setting this individually for each http port would better support existing
happy users of this feature. (Im sure there must be some ;-)
Being able to set up
One man's opinion:
- Version support (at the application level) should be optional in 2.7. You
should be able to turn it off (maybe through ZConfig). The default should
probably be off, since I think more people avoid them than use them.
I would suggest these approaches:
1: File a bug in the c