My answer to this is:
1. Protecting yourself from your users:
Zope fine grained acces control means that you can set up access
restrictions that do exactly what you want and let user do what they
need, and prevents them from doing what they should not.
Obviously you can also make everybody do ev
So I think we can reliably say that stock Zope is secure. An insecure
product, on the other hand, opens up many possibilities, but that ought
to be the subject of a different discussion.
...and if we do have that discussion, can it please be on
[EMAIL PROTECTED], and not cross-posted to both [
Lennart Regebro wrote:
> 5. Protecting yourself against denial of service:
> Zope does not seem to crash if you send random data to it, and I
> have in logs seen attemps to overflow buffers and the like that
> obviously are attempt to crash or break in to other (MS) servers,
> without this affectin
On Thursday 13 March 2003 5:21 am, Shane Hathaway wrote:
> The only vulnerability would involve
> trusted users who want to vandalize Zope. So even though there have
> been many hotfixes, they are irrelevant--Zope is still secure. (Unless
> you can't trust your trusted users, which is a differen
Jamie Heilman wrote:
In this sense Zope is again VERY secure.
No it isn't.
A statement like that without an argument is worthless in a discussion.
You need to elaborate as we cannot read your mind and see what lies
behind the statement.
regards Max M
___
On Thursday 13 March 2003 9:25 am, Lennart Regebro wrote:
> 5. Protecting yourself against denial of service:
> Zope does not seem to crash if you send random data to it, and I have in
> logs seen attemps to overflow buffers and the like that obviously are
> attempt to crash or break in to other (
Max M wrote:
> A statement like that without an argument is worthless in a discussion.
> You need to elaborate as we cannot read your mind and see what lies
> behind the statement.
My statement wasn't really aimed at you, sorry, I'm not playing fair.
My statement was aimed at people who don't ha
Fred L. Drake, Jr. wrote:
I'm not sure what you mean; it sounds like you're looking for either
DBTab-style mounts or something different.
I certainly am. Since moving to DBTab, life suddenly seems so much easier!
cheers,
Chris
___
Zope-Dev maillist -
Since upgrading to Zope-2.6 we've been getting KeyErrors when using
Sessions. They seem to happen more now that we've started using
hasSessionData(), but I'm pretty sure they happened prior to that.
Anyways, here are the 2 related tracebacks. Has anyone else seen these?
Traceback #1 occurs most f
>>> Jamie Heilman wrote
> Without properly configured resource limits, it is trivial to use an
> exposed Zope instance to exhaust host resources.
If this is a real risk for you, you should be using per-process limits
to make sure that the host can't be completely destroyed. Sure, zope
will fal
On Thu, 13 Mar 2003, Toby Dickenson wrote:
> On Thursday 13 March 2003 5:21 am, Shane Hathaway wrote:
>
> > The only vulnerability would involve
> > trusted users who want to vandalize Zope. So even though there have
> > been many hotfixes, they are irrelevant--Zope is still secure. (Unless
> >
Hi,
I hope this is the proper list for my question, or at least for my
suggestion.
I have a Python product which contains Python scripts (*.py) and DTML
methods (*.dtml) which can get used by the user to create certain standard
versions of e.g. generated menus etc.; the ZODB objects can then be
Christian Tismer schrieb:
Dear Zope community,
please excuse my ignorance, but I am asked
from time to time how secure or insecure
Zope actually is, and I always have to say
that I actually don't know.
There are people claiming that Zope opens a system
to quite some level, others claim the opposit
[EMAIL PROTECTED] wrote:
When I run the Zope install script on a freshly installed Zope, and my
Product is already there, it complains that the *.py scripts (aimed for
import) would be invalid, because there are return-, but no def statements.
Thus, installation fails; I must first remove my produc
Hi Jamie,
I'm wondering if you might consider applying for checkin privileges.
The host header issue that you've uploaded several patches for is a
bonafide problem for some users, but I think that most people with
checkin privs feel that it isn't sufficiently dangerous to the majority
of users to
John,
Which Zope 2.6? Zope 2.6.1? Here's what line 807 of the current
Transience.py looks like:
v = self._data[b].get(k, notfound)
Does yours look like that?
What is the value of the __version__ variable at the top of the
Transience.py file?
On Thu, 2003-03-13 at 07:11, John
Lennart Regebro wrote:
> [EMAIL PROTECTED] wrote:
> > When I run the Zope install script on a freshly installed Zope, and my
> > Product is already there, it complains that the *.py scripts (aimed for
> > import) would be invalid, because there are return-, but no def
statements.
> > Thus, install
You cannot rely on the Zope install script to handle add-on products well,
if at all. The same issue wrt .py extensions is present in the CMF skins.
So I guess the answer is: "Don't do it that way". They are called add-on
products for a reason ;-)
Stefan
--On Donnerstag, 13. März 2003 14:00 +0
On Thursday 13 March 2003 2:33 pm, Chris McDonough wrote:
> Hi Jamie,
>
> I'm wondering if you might consider applying for checkin privileges.
Thats a good idea
> The host header issue
Good catch on that bug btw,
> that you've uploaded several patches for is a
> bonafide problem for some users
On Thu, 2003-03-13 at 10:26, Toby Dickenson wrote:
> I suspect most people with checkin privelidges dont know about this problem,
> because it wont have been sent to the public mailman list.
True. I really don't know which set of committers gets the
"security-related" emails from that collector.
I suspect most people with checkin privelidges dont know about this problem,
because it wont have been sent to the public mailman list.
Perhaps an email can be sent out saying
Issue number 1234.
Temporarily restricted pending security review.
http://url.to.get.it.if.you.are.logged.in
Then,
This is a good idea. I'll add an issue to the collector collector.
- C
On Thu, 2003-03-13 at 11:10, Steve Alexander wrote:
>
> > I suspect most people with checkin privelidges dont know about this problem,
> > because it wont have been sent to the public mailman list.
>
> Perhaps an email ca
In article <[EMAIL PROTECTED]> you write:
> - Cross-scripting issues:
>
> I guess that some of those are still in the Zope Management Interface
> (which is not meant to be used by untrusted users in most cases), but
> Zope offers a lot of tools to make sure that it is hard to post
> malicious c
On Thu, Mar 13, 2003 at 06:11:32PM +0100, Florent Guillaume wrote:
> In article <[EMAIL PROTECTED]> you write:
> > - Cross-scripting issues:
> >
> > I guess that some of those are still in the Zope Management Interface
> > (which is not meant to be used by untrusted users in most cases), but
> >
Tim Peters wrote:
[Christian Tismer]
...
I don't mean to offend anybody by this, it is just
a very simple question which I cannot answer alone.
There may be a simple question hiding in this, but it's hard to find .
You try: how secure is sendmail? how secure is ssh? how secure is Python?
Ans
On Wed, Mar 12, 2003 at 09:39:02PM -0500, Tres Seaver wrote:
> Now let me describe another configuraton, running in production now for
> years (one process in the cluster had an uptime of 400 days at a recent
> hardware-induced reboot):
>
> - Two Zope application servers run behind a load balanc
Sorry, its Zope 2.6.1.
Chris McDonough wrote:
> John,
>
> Which Zope 2.6? Zope 2.6.1? Here's what line 807 of the current
> Transience.py looks like:
>
> v = self._data[b].get(k, notfound)
>
> Does yours look like that?
Yes.
> What is the value of the __version__ variable
Hi John,
Can you apply the attached diff to your Transience.py file and run with
it in place for a couple of days? It will not fix the problem (the
symptoms will remain) but it should print some diagnostic information to
the Zope event log (the STUPID_LOG_FILE, hopefully you've got that
going) th
On March 10, Fred L. Drake, Jr. wrote:
> I'm not sure what you mean; it sounds like you're looking for either
> DBTab-style mounts or something different. Please describe the
> configuration so we can be sure that there's some way to support it.
Yes, DBTab-style mounts are what I'm looking for.
On March 13, Lennart Regebro wrote:
> 2. Protecting yourself from packet snooping:
> Zope doesn't have any encryption built-in, SSL needs external software
> to implement fro example.
>
> In this sense Zope can be MADE secure with some work, but is not secure
> at all out of the box.
Speaking o
On Fri, Mar 14, 2003 at 09:19:55AM +1100, Adrian van den Dries wrote:
> On March 13, Lennart Regebro wrote:
> > 2. Protecting yourself from packet snooping:
> > Zope doesn't have any encryption built-in, SSL needs external software
> > to implement fro example.
> >
> > In this sense Zope can be M
I am working on a CMS on top of ZODB for large amounts of
large SGML/XML documents.
To speed things up, a colleague started two import processes
and we get incredible amounts of "database read conflict error"s
from cataloguing (although we already use "QueueCatalog" for
most indexes).
I think, th
Joachim Werner wrote at 2003-3-12 00:45 +0100:
> I've used Pydoc with Dieter Maurer's patches to browse the Zope
> sourcecode before.
>
> These patches are quite old and probably incompatible with current Zope
> versions.
I expect that only minor changes are necessary to make them
work with
Patch applied and the first results are in... so far its a lot of these:
2003-03-13T15:18:07 PROBLEM(100) Transience KeyError raised in get,
checking _data BTree
--
2003-03-13T15:18:07 PROBLEM(100) Transience BTree check succeeded
Chris McDonough wrote:
> Hi John,
>
> Can you apply the a
Chris McDonough wrote at 2003-3-11 15:32 -0500:
> On Tue, 2003-03-11 at 15:22, Guido van Rossum wrote:
> >
> > That's why we're including the correct versions of ZODB and ZEO in
> > Zope itself. That's already the case in Zope 2.6.
>
> Zope 2.6 doesn't yet include ZEO, at least I don't thi
Hi Chris,
Chris McDonough wrote at 2003-3-11 18:39 -0500:
> On Tue, 2003-03-11 at 17:11, Dieter Maurer wrote:
> > All this is achieved by incorporating the result of "hostname"
> > into the respective environment variables.
> >
> > I do not know how to do something like this in a con
[Christian Tismer]
> ...
> p.s.: sendmail? ssh? Python?
> Security exploits are discussed in the bugtraq list.
> I can find them all in the list archive.
> What about Zope? It is not in bugtraq.
The obvious conclusion is that no security hole has ever been discovered in
Zope. Whether that's a *co
Chris McDonough wrote:
> I'm wondering if you might consider applying for checkin privileges.
I've considered it. I don't think you need anymore cooks, maybe just
a few more recipes.
> The host header issue that you've uploaded several patches for is a
> bonafide problem for some users, but I t
On Thu, 2003-03-13 at 22:09, Jamie Heilman wrote:
> Chris McDonough wrote:
> > I'm wondering if you might consider applying for checkin privileges.
>
> I've considered it. I don't think you need anymore cooks, maybe just
> a few more recipes.
We have many recipes already.
> > The host header i
OK, thanks John.
I hate to ask this (I should have done this to start with), but would
you be willing to use the following patch --against the original file,
not your recently patched version-- and try again? I only checked one
of the two BTrees that might be at the heart of the problem with the
On Thu, 2003-03-13 at 16:14, Dieter Maurer wrote:
> > ZConfig does allow you to declare and use simple bash-style variables
> > within a single file,
>
> When the configuration is composed out of components (e.g. for
> packages), then some global declarations might be very
> useful. I.e. a featu
Stop
paying high prices for Inkjet and Laser Cartridges.
We have cartridges
42 matches
Mail list logo