Re: [Zope] Re: [Zope-Annce] SECURITY alert and hotfix release

2000-12-08 Thread Shane Hathaway

Andrew Kuchling wrote:
 
 On Fri, Dec 08, 2000 at 03:48:52PM -0500, Brian Lloyd wrote:
   The hotfix will work for all versions of Zope 2.2.0 and higher. A
   future version of Zope will contain the fix for this
   issue, and you will be able to uninstall the hot fix after upgrading.
 
 A slight modification to the patch makes it work (meaning, "run
 without raising an exception") on Zope 2.1.6; patch below.  Can
 someone at DC confirm that this patched version fixes the problem for
 2.1.x and doesn't break anything else?  (If you want to privately send
 me an exploit, that would be quite helpful.)

AFAICT 2.1.6 is not vulnerable.

Shane

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )




[Zope] Re: [Zope-Annce] SECURITY alert and hotfix release

2000-12-08 Thread Andrew Kuchling

On Fri, Dec 08, 2000 at 03:48:52PM -0500, Brian Lloyd wrote:
  The hotfix will work for all versions of Zope 2.2.0 and higher. A
  future version of Zope will contain the fix for this
  issue, and you will be able to uninstall the hot fix after upgrading.

A slight modification to the patch makes it work (meaning, "run
without raising an exception") on Zope 2.1.6; patch below.  Can
someone at DC confirm that this patched version fixes the problem for
2.1.x and doesn't break anything else?  (If you want to privately send
me an exploit, that would be quite helpful.)

--amk

--- __init__.py Fri Dec  8 15:25:48 2000
+++ /home/akuchlin/__init__.py  Fri Dec  8 17:09:05 2000
@@ -107,13 +107,14 @@
 # and make sure the roles are set correctly.
 
 import OFS
+from OFS import DTMLMethod, DTMLDocument
 from AccessControl.PermissionRole import PermissionRole
 OM = OFS.ObjectManager.ObjectManager
 
 legacy = (
-('manage_addDocument', OFS.DTMLMethod.addDTMLMethod),
-('manage_addDTMLMethod', OFS.DTMLMethod.addDTMLMethod),
-('manage_addDTMLDocument', OFS.DTMLDocument.addDTMLDocument),
+('manage_addDocument', DTMLMethod.addDTMLMethod),
+('manage_addDTMLMethod', DTMLMethod.addDTMLMethod),
+('manage_addDTMLDocument', DTMLDocument.addDTMLDocument),
 )
 
 permission = 'Add Documents, Images, and Files'

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )