On Wed, Aug 14, 2002 at 04:25:09PM -0400, Brian Lloyd wrote:
> So here's what we'll do. Zope 2.6 will include the string tainting
> changes, enabled by default. The tainting can be turned off by
> providing an environment variable.
>
> The next Zope 2.5.x release will contain the tainting code, b
> >>Like I said before, this is probably a good feature. If it was
> available as a
> >>patch then I would probably use it on a number of my sites, and would
> >>recommend it to others. I would be very happy see it (or
> something like it)
> >>in 2.7.
> >>
> >>But not 2.6.
> >>
> >
>> Then Jim wro
Jeffrey P Shell wrote:
> On 8/9/02 8:43 AM, "Toby Dickenson" <[EMAIL PROTECTED]>
> wrote:
>
...
>>Like I said before, this is probably a good feature. If it was available as a
>>patch then I would probably use it on a number of my sites, and would
>>recommend it to others. I would be very happy
On Mon, Aug 12, 2002 at 03:51:24PM +0100, Toby Dickenson wrote:
> On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
>
> > Whithout the fix, virtually every Zope site in the world is vulnerable
> > to URL-based cross-site scripting exploits. For instance, any URL which
> > contains invalid form v
On Friday 09 Aug 2002 4:33 pm, Tres Seaver wrote:
> Whithout the fix, virtually every Zope site in the world is vulnerable
> to URL-based cross-site scripting exploits. For instance, any URL which
> contains invalid form variable marshalling can generate an error page
> which includes the errone
On Friday 09 Aug 2002 3:12 pm, Martijn Pieters wrote:
> On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > > The risk for breakage is very small really
> >
> > Your choice of '<' and html_quote suggests that my dtml code which
> > generates javascript and vbscript carries a higher
On Fri, Aug 09, 2002 at 09:56:45AM +0100, Toby Dickenson wrote:
> > The risk for breakage is very small really
>
> Your choice of '<' and html_quote suggests that my dtml code which generates
> javascript and vbscript carries a higher risk than dtml which generates html.
Only if you generated t
On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote:
> On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > > I am about to land some big changes in the way DTML deals with data
> > > taken from the REQUEST object when accessed implicitly, in both the
> > > Zope Trunk and the Zop
On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > I am about to land some big changes in the way DTML deals with data
> > taken from the REQUEST object when accessed implicitly, in both the Zope
> > Trunk and the Zope 2.5 branch.
>
> In my opinion this change is completely unacc
The way I see it is this:
ZPT has (amongst others) the very nice property that it's trivial to
audit ZPT pages for non-quoted string output: just grep for 'structure'.
OTOH in DTML there's no way to do that, the default is unquoted output.
&dtml-stuff; is a good step, but there's way too much co
On Fri, Aug 02, 2002 at 08:55:13AM -0700, Andy McKay wrote:
> Likewise Im trying to digest all that and Im a little suprised. More magic
> in DTML? Not something I'd vote for normally.
>
> Im a little confused why this is suddenly an issue, yeah so we pull a string
> out of the REQUEST and thanks
Likewise Im trying to digest all that and Im a little suprised. More magic
in DTML? Not something I'd vote for normally.
Im a little confused why this is suddenly an issue, yeah so we pull a string
out of the REQUEST and thanks to DTML stack we may not know where it came
from. Well thats always b
Hi folks,
I am about to land some big changes in the way DTML deals with data taken
from the REQUEST object when accessed implicitly, in both the Zope Trunk
and the Zope 2.5 branch. These changes could potentially break existing
Zope sites.
Without these changes, Zope is somewhat vulnerable to c
13 matches
Mail list logo
