* Andy McKay <[EMAIL PROTECTED]> [010924 01:11]:
> Haven't we been complaining about this automatic appending of tracebacks for
> a while? To me this is what log files are for but Im not sure what this
> guy is on. I wouldnt count this as a "security vulnerability".
It's not an exploitable vu
On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
> > Vulnerability: attacking can get file list and directory
> > Tested on Win32 platform
> >
> > Example:
> > telnet zopeserver 8080
> > PROPFIND / HTTP/1.0
> >
> >
> >
> >
> > < list files and directory >
> >
> > This teste
> On Sunday 23 September 2001 08:24 pm, Joachim Werner allegedly wrote:
>> > Vulnerability: attacking can get file list and directory
>> > Tested on Win32 platform
>> >
>> > Example:
>> > telnet zopeserver 8080
>> > PROPFIND / HTTP/1.0
>> >
>> >
>> >
>> >
>> > < list files and directory >
>> >
Oliver Bleutgen wrote:
> From a non-technical, PR-wise point of view let me add that
> this type of "vulnerability" easily gets zope mentioned on lists
> like bugtraq. The perception is that these thing really are
> vulnerabilities.
You're right, a quick search on google for "path disclosure
Here's the answer, added to the FAQ (but I haven't updated the page yet):
7) Can I provide my contributions under a different license, as
stated in the License section of the Zope Contributor Agreement?
In summary, yes but no. You don't pick the license that you use
when you gi
Shane Hathaway wrote:
> [...]
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
I think it's fine, but only if specified on the z2.py cmdline or
On Mon, Sep 24, 2001 at 10:59:11AM -0400, Shane Hathaway wrote:
> Oliver Bleutgen wrote:
>
> >From a non-technical, PR-wise point of view let me add that
> >this type of "vulnerability" easily gets zope mentioned on lists
> >like bugtraq. The perception is that these thing really are
> >vulnerab
Shane Hathaway wrote:
>
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
Well, how about just changing the brain-dead way standard_error_message work
seb bacon wrote:
>
> * Andy McKay <[EMAIL PROTECTED]> [010924 01:11]:
> > Haven't we been complaining about this automatic appending of tracebacks for
> > a while? To me this is what log files are for but Im not sure what this
> > guy is on. I wouldnt count this as a "security vulnerability".
> From: Chris Withers <[EMAIL PROTECTED]>
>
> The traceback should _not_ be _appended_ to the error message. If an app
> developer chooses to show it, then fine they can as they do already (mine
> sends
> me an error email ;-), but why should it be appended in all circumstances
Be careful of th
marc lindahl wrote:
>
> Be careful of that -- I recently got *flooded* with error emails from a
> recent bout of the Code Red worm looking for files that weren't on my server
> :(
Yup, had that too... I patched BaseRequest.py to not bitch ;-)
Mindyou I surpassed myself with a similar thing with
Hi shane,
> Oliver Bleutgen wrote:
>> From a non-technical, PR-wise point of view let me add that
>> this type of "vulnerability" easily gets zope mentioned on lists
>> like bugtraq. The perception is that these thing really are
>> vulnerabilities.
> You're right, a quick search on google for
On Monday 24 September 2001 10:59 am, Shane Hathaway allegedly wrote:
[snip]
> PDV just yields information you might give out anyway. But maybe we
> could deal with it anyway by writing an "error.log" instead of sending
> the traceback to the browser. What do you think?
>
> Shane
>
My suggestio
On a high-traffic site, wouldn't the log get really big, really quickly with
tracebacks? It is also nice to have the tracebacks in the browser window
for debugging...
Why not just enable tracebacks to clients from trusted IP address ranges or
domains... Set this up as an option in Z2.py?
Anyw
Hello,
Recently, I had to replace ZPublisher's default
authentication scheme, as part of a product I'm working on. I am aware
of the existence of LoginManager, exUserFolder, etc., but in this case
I needed to have a custom login screen at root level, i.e. completely
get rid of the basic
[EMAIL PROTECTED] wrote:
> On a high-traffic site, wouldn't the log get really big, really quickly with
> tracebacks? It is also nice to have the tracebacks in the browser window
> for debugging...
But the log won't grow more than Z2.log. Yes, it is nice to have the
tracebacks in the browse
Why not use logrotate, similarly to how you handle the Apache
logs? Or set a cron job to clear the logs, if you don't like logrotate...
[EMAIL PROTECTED] writes:
> On a high-traffic site, wouldn't the log get really big, really quickly with
> tracebacks? It is also nice to have t
Ivan Raikov wrote:
>Recently, I had to replace ZPublisher's default
> authentication scheme, as part of a product I'm working on. I am aware
> of the existence of LoginManager, exUserFolder, etc., but in this case
> I needed to have a custom login screen at root level, i.e. completely
> g
Personally, I think this really should be an integration issue instead of a
Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to
prevent this...
Sean
-Original Message-
From: Oliver Bleutgen [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 9:10 AM
To: [EMAIL
[EMAIL PROTECTED] wrote:
> Personally, I think this really should be an integration issue instead of a
> Zope issue: use a front-end proxy server (i.e. Squid) and set up ACLs to
> prevent this...
This hasn't been fixed because it's not well understood. Javascript can
POST an invisible form, A
I'm getting a strange problem with ZCatalog, using python 2.1, Zope from
CVS.
I get all the results I expect with this:
&dtml-subject_name; -- &dtml-relationship_name; -> &dtml-rater_name;
But, I only get one subject_name's worth of results with this:
&dtml-subject_name; -- &dtml-r
Steve Alexander wrote:
> I'm getting a strange problem with ZCatalog, using python 2.1, Zope from
> CVS.
>
> I get all the results I expect with this:
>
>
>
>
> &dtml-subject_name; -- &dtml-relationship_name; -> &dtml-rater_name;
>
>
>
>
> But, I only get one subject_name's worth of re
Steve Alexander wrote:
>
> This gives partial results:
>
> sort_on='subject_name')">
...because this returns a LazyCat instance, for which len() is broken.
> This gives full results:
>
> sort_on='subject_name')[:]">
...because this is a list.
> This gives full results:
>
> sort_on=
Steve Alexander wrote:
>
>
> Patch coming up soon...
Patch against Catalog.py, from CVS:
*** lib/python/Products/ZCatalog/Catalog.py.original
--- lib/python/Products/ZCatalog/Catalog.py.patched
***
*** 673,679
if (type(so) is type('') and
Is there some function that is called when a User Folder is
removed?
If so, what is it?
If not, is there a recommended way to delete users, any information
stored about the User Folder's configuration, etc.?
Thanks.
Jim Penny
___
Zope-Dev maillist
manage_beforeDelete will be called on the object before it gets deleted.
if you implement this method then whatever you put in it will be executed.
user folders use it to remove the __groups__ attribute from their
container which they set in their constructor.
jens
On Monday, September 24,
> -Original Message-
> From: Kenichi Sato
> Sent: Monday, 24 September 2001 5:49 PM
> To: djay
> Subject: Barriers to Zope popularity: Part 2: source control
>
>
> Dear Mr. Jay, Dylan,
>
> I am Ken Sato, a manager of software development projects. I'm now
> taking a look at Zope as a to
consensus?
User-Agent: Wanderlust/2.5.8 (Smooth Criminal) SEMI/1.14.3 (Ushinoya) FLIM/1.14.2
(Yagi-Nishiguchi) APEL/10.3 MULE XEmacs/21.4 (patch 1) (Copyleft) (i386-debian-linux)
Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charse
We've got a wonderful zope control panel (which installs into the standard
windows Control Panel) and zope service which we'll be making available in
binary and source form this week. Like the Mac OS X controller, this is
simply a trivial re-branding extension of our work in supporting the
usa
> We'd like to propose that the service distributed with Zope move over to
> using our code.
Great, Im really looking forward to an improved Windows installation. But
lets get it out there play with it before anything major happens like
shipping Zope with it :)
> As a separate issue - we're curi
On Tuesday 25 September 2001 14:23, Andy wrote:
> > We'd like to propose that the service distributed with Zope move over to
> > using our code.
>
> Great, Im really looking forward to an improved Windows installation. But
> lets get it out there play with it before anything major happens like
> s
Can anyone tell me how to create a subdirectory programmatically under a
LocalFS folder? I have a LocalFS folder called images. When I add a new
promoter to my site, I'd like to automatically add a directory that
would hold that promoter's images. If the promoter's ID number is 187, I
want to crea
> These are all things we've addressed, but it'd be good to note them
> somewhere. We've tried to make the process of using Zope (and hence our
> product) as painless to the average Windows user (and Mac user) as
possible.
Oooh, Im a happy camper.
--
Andy
___
I have to disagree about the Zope (%s), I have been known to run 2 or 3 Zope
services, for different instances, and I always know that I can find them
all huddled together at the bottom of the Service Manager - Very useful.
Adrian...
--
Adrian Hungate
Try Zope -
http://www.zope.org
-
On Tuesday 25 September 2001 16:26, Adrian Hungate wrote:
> I have to disagree about the Zope (%s), I have been known to run 2 or 3
> Zope services, for different instances, and I always know that I can find
> them all huddled together at the bottom of the Service Manager - Very
> useful.
So does
I edit the registry... One of my many favourite pass-times, right up there
with running out in traffic.
Seriously though, once an instance is configured, why would you want to
change it? (Assuming you get it right that is)
Adrian...
--
Adrian Hungate
Try Zope -
http://www.zope.org
-
On Tuesday 25 September 2001 16:41, Adrian Hungate wrote:
> I edit the registry... One of my many favourite pass-times, right up there
> with running out in traffic.
>
> Seriously though, once an instance is configured, why would you want to
> change it? (Assuming you get it right that is)
Mostly
37 matches
Mail list logo