Re: [Zope] Storing DTML in SQL

2010-08-19 Thread robert rottermann
Am 18.08.2010 18:56, schrieb Andrew Milton:
 +---[ robert rottermann ]--
 | I think storing dtml in a db is wrong by design.
 | I do lots of dynamic websites that are generated from external data.
 | i had no need for a single line of dtml yet ...

 I've seen it used a lot in PHP systems like PHP-Nuke, where the widget
 code is executed out of strings in the db. Whether it's necessary or
 not in this instance is debatable.


there is an important difference between php based systems and zope.
a php site is made up from a bunch of code snippets embedded in html 
that are fed into a php interpreter.
where these snippets come from is unknown to the php interpreter. one of 
the reasons (I assume) that such systems tend to be riddled with 
security problems

zope is an application server that sits between the internet and the 
(physical) server on which it runs.
it so divides its univers in an unsave and a save part. everything that 
comes from the internet, that includes operations performed TTW (trough 
the web), is unsave and must be authenticated against zopes strict 
permission system.
everything that comes from the server side (eg. from files loaded from 
the server) is considered save and is not security screened (or at least 
not as tightly).

zopes application server offers you two ways to create dtml objects. TTW 
and from a file. one tightly screens one less so.
now what you propose is a third way. get the dtml objects from a database.
this could for sure be done
but..
you have to write a kind of interpreter that creates an dtml object, 
sets up its context, executes it and manipulates its own environment in 
a meaningful way.
next to that this interpreter has to set up its own security context to 
avoid to punch holes into zopes defenses.

you can imagine, this is no easy chore.

and it would probably be foolish if one tried to implement it.
dtml is just not the way to go. it is a dead end (its developer decided 
so). it is replaced by tal and zope 3 (now bluebream) components that 
are far more powerfull and flexible.
and, alas, not THAT easy to grasp

robert





___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-19 Thread Richard Harley
On 19/08/10 09:37, robert rottermann wrote:
 Am 18.08.2010 18:56, schrieb Andrew Milton:

 +---[ robert rottermann ]--
 | I think storing dtml in a db is wrong by design.
 | I do lots of dynamic websites that are generated from external data.
 | i had no need for a single line of dtml yet ...

 I've seen it used a lot in PHP systems like PHP-Nuke, where the widget
 code is executed out of strings in the db. Whether it's necessary or
 not in this instance is debatable.


  
 there is an important difference between php based systems and zope.
 a php site is made up from a bunch of code snippets embedded in html
 that are fed into a php interpreter.
 where these snippets come from is unknown to the php interpreter. one of
 the reasons (I assume) that such systems tend to be riddled with
 security problems

 zope is an application server that sits between the internet and the
 (physical) server on which it runs.
 it so divides its univers in an unsave and a save part. everything that
 comes from the internet, that includes operations performed TTW (trough
 the web), is unsave and must be authenticated against zopes strict
 permission system.
 everything that comes from the server side (eg. from files loaded from
 the server) is considered save and is not security screened (or at least
 not as tightly).

 zopes application server offers you two ways to create dtml objects. TTW
 and from a file. one tightly screens one less so.
 now what you propose is a third way. get the dtml objects from a database.
 this could for sure be done
 but..
 you have to write a kind of interpreter that creates an dtml object,
 sets up its context, executes it and manipulates its own environment in
 a meaningful way.
 next to that this interpreter has to set up its own security context to
 avoid to punch holes into zopes defenses.

 you can imagine, this is no easy chore.

 and it would probably be foolish if one tried to implement it.
 dtml is just not the way to go. it is a dead end (its developer decided
 so). it is replaced by tal and zope 3 (now bluebream) components that
 are far more powerfull and flexible.
 and, alas, not THAT easy to grasp

 robert


By far the majority of new deployments use zope 2 though...





 ___
 Zope maillist  -  Zope@zope.org
 https://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
   https://mail.zope.org/mailman/listinfo/zope-announce
   https://mail.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-19 Thread robert rottermann

 By far the majority of new deployments use zope 2 though...


of course.
zope 2 does use 5 which is a zope2/3 bridge.
plone is VERY zope3/five based ..

___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-19 Thread Andreas Jung
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

robert rottermann wrote:
 By far the majority of new deployments use zope 2 though...


 of course.
 zope 2 does use 5 which is a zope2/3 bridge.
 plone is VERY zope3/five based ..


ZTK-based - Zope 3 is no more.

- -aj
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxtDFsACgkQCJIWIbr9KYzW8QCeME9f+6w1RupIO8r+eBc7ybRE
zIEAoN1j3y6sA4QbDeEurFfB+ceXTS7Z
=Qr8G
-END PGP SIGNATURE-
attachment: lists.vcf___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Andrew Milton
+---[ Justin Dunsworth ]--
| I am currently working on a project where I am storing HTML within a MySQL 
database to display dynamic pages and content in
| sequences. I would like to be able to store DTML within the tables as well 
and be able to call them within the page to display
| that content. I tried mixing the DTML in with the HTML and it shows the HTML 
correctly but no DTML.
|
| Is it possible to even do this? Are there other suggestions on how to go 
about this?

I'm not condoning this in any way d8) but...

You have to actually execute the DTML as DTML. That means your
rendering code has to actually execute it and display the output, not
just dump the source into your page.

How to do that will probably require you to use some trusted code, that
means a Product or an External Method for Zope 2 (I assume Zope 2
since you're talking about DTML). 

You might have a bit of a mountain to climb there d8)

Are you sure you need to store the DTML in the db?

-- 
Andrew Milton
a...@theinternet.com.au
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Garry Saddington
Justin Dunsworth wrote:
 I am currently working on a project where I am storing HTML within a 
 MySQL database to display dynamic pages and content in sequences. I 
 would like to be able to store DTML within the tables as well and be 
 able to call them within the page to display that content. I tried 
 mixing the DTML in with the HTML and it shows the HTML correctly but no 
 DTML.
  
 Is it possible to even do this? Are there other suggestions on how to go 
 about this?

The closest I have found is on Zopelabs 
(http://www.zopelabs.com/cookbook/1078612026)

Regards
Garry
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Garry Saddington
Garry Saddington wrote:
 Justin Dunsworth wrote:
 I am currently working on a project where I am storing HTML within a 
 MySQL database to display dynamic pages and content in sequences. I 
 would like to be able to store DTML within the tables as well and be 
 able to call them within the page to display that content. I tried 
 mixing the DTML in with the HTML and it shows the HTML correctly but no 
 DTML.
  
 Is it possible to even do this? Are there other suggestions on how to go 
 about this?
 
 The closest I have found is on Zopelabs 
 (http://www.zopelabs.com/cookbook/1078612026)

Sorry wrong recipe try this:

http://www.zopelabs.com/cookbook/993850737/1011691351
Garry

___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Andrew Milton
+---[ Garry Saddington ]--
| Garry Saddington wrote:
|  Justin Dunsworth wrote:
|  I am currently working on a project where I am storing HTML within a 
|  MySQL database to display dynamic pages and content in sequences. I 
|  would like to be able to store DTML within the tables as well and be 
|  able to call them within the page to display that content. I tried 
|  mixing the DTML in with the HTML and it shows the HTML correctly but no 
|  DTML.
|   
|  Is it possible to even do this? Are there other suggestions on how to go 
|  about this?
|  
|  The closest I have found is on Zopelabs 
|  (http://www.zopelabs.com/cookbook/1078612026)
| 
| Sorry wrong recipe try this:
| 
| http://www.zopelabs.com/cookbook/993850737/1011691351

Do I really have to explain why that particular recipe is a bad idea? d8)

-- 
Andrew Milton
a...@theinternet.com.au
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Jeff Peterson
Why must it be stored in a RDB?  Can you not store the DTML in the ZODB and 
store the path or id to the DTML in the RDB or a python script that can massage 
whatever data you need and call the DTML..

--
Jeffrey D Peterson
Webmaster
Crary Industries, Inc.
237 12th St NW
West Fargo, ND 58078
P: 701-499-5928
E: jeff.peter...@crary.com

 -Original Message-
 From: zope-boun...@zope.org [mailto:zope-boun...@zope.org] On Behalf Of
 Andrew Milton
 Sent: Wednesday, August 18, 2010 11:26 AM
 To: Garry Saddington
 Cc: zope@zope.org
 Subject: Re: [Zope] Storing DTML in SQL
 
 +---[ Garry Saddington ]--
 | Garry Saddington wrote:
 |  Justin Dunsworth wrote:
 |  I am currently working on a project where I am storing HTML within
 a
 |  MySQL database to display dynamic pages and content in sequences.
 I
 |  would like to be able to store DTML within the tables as well and
 be
 |  able to call them within the page to display that content. I tried
 |  mixing the DTML in with the HTML and it shows the HTML correctly
 but no
 |  DTML.
 | 
 |  Is it possible to even do this? Are there other suggestions on how
 to go
 |  about this?
 | 
 |  The closest I have found is on Zopelabs
 |  (http://www.zopelabs.com/cookbook/1078612026)
 |
 | Sorry wrong recipe try this:
 |
 | http://www.zopelabs.com/cookbook/993850737/1011691351
 
 Do I really have to explain why that particular recipe is a bad idea?
 d8)
 
 --
 Andrew Milton
 a...@theinternet.com.au
 ___
 Zope maillist  -  Zope@zope.org
 https://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  https://mail.zope.org/mailman/listinfo/zope-announce
  https://mail.zope.org/mailman/listinfo/zope-dev )
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Garry Saddington
Andrew Milton wrote:
 +---[ Garry Saddington ]--
 | Garry Saddington wrote:
 |  Justin Dunsworth wrote:
 |  I am currently working on a project where I am storing HTML within a 
 |  MySQL database to display dynamic pages and content in sequences. I 
 |  would like to be able to store DTML within the tables as well and be 
 |  able to call them within the page to display that content. I tried 
 |  mixing the DTML in with the HTML and it shows the HTML correctly but no 
 |  DTML.
 |   
 |  Is it possible to even do this? Are there other suggestions on how to go 
 |  about this?
 |  
 |  The closest I have found is on Zopelabs 
 |  (http://www.zopelabs.com/cookbook/1078612026)
 | 
 | Sorry wrong recipe try this:
 | 
 | http://www.zopelabs.com/cookbook/993850737/1011691351
 
 Do I really have to explain why that particular recipe is a bad idea? d8)
 
Just trying to be helpful. I did say that it was the only thing I can 
find and I did not recommend it.
If you would care to share the problems of the recipe on the list then I 
am sure all those reading who are new to Zope would benefit;)
Garry
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Richard Harley
On 18/08/10 17:38, Andrew Milton wrote:
 +---[ Garry Saddington ]--
 | Andrew Milton wrote:
 |  +---[ Garry Saddington ]--
 |  | Garry Saddington wrote:
 |  |  Justin Dunsworth wrote:
 |  |  I am currently working on a project where I am storing HTML within a
 |  |  MySQL database to display dynamic pages and content in sequences. I
 |  |  would like to be able to store DTML within the tables as well and be
 |  |  able to call them within the page to display that content. I tried
 |  |  mixing the DTML in with the HTML and it shows the HTML correctly but 
 no
 |  |  DTML.
 |  |
 |  |  Is it possible to even do this? Are there other suggestions on how 
 to go
 |  |  about this?
 |  |
 |  |  The closest I have found is on Zopelabs
 |  |  (http://www.zopelabs.com/cookbook/1078612026)
 |  |
 |  | Sorry wrong recipe try this:
 |  |
 |  | http://www.zopelabs.com/cookbook/993850737/1011691351
 |
 |  Do I really have to explain why that particular recipe is a bad idea? d8)
 |
 | Just trying to be helpful. I did say that it was the only thing I can
 | find and I did not recommend it.
 | If you would care to share the problems of the recipe on the list then I
 | am sure all those reading who are new to Zope would benefit;)

 Since python scripts are web callable and something has to be passed
 in... The phrase execute arbitrary code is nearly always quickly
 followed by the phrase remote exploit and lots of sad faces (and
 then some finger pointing d8)


If that is the case, aren't all python scripts within Zope potentially 
exploitable?
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Andrew Milton
+---[ Richard Harley ]--
| On 18/08/10 17:38, Andrew Milton wrote:
|  +---[ Garry Saddington ]--
|  | Andrew Milton wrote:
|  |  +---[ Garry Saddington ]--
|  |  | Garry Saddington wrote:
|  |  |  Justin Dunsworth wrote:
|  |  |  I am currently working on a project where I am storing HTML within 
a
|  |  |  MySQL database to display dynamic pages and content in sequences. I
|  |  |  would like to be able to store DTML within the tables as well and 
be
|  |  |  able to call them within the page to display that content. I tried
|  |  |  mixing the DTML in with the HTML and it shows the HTML correctly 
but no
|  |  |  DTML.
|  |  |
|  |  |  Is it possible to even do this? Are there other suggestions on how 
to go
|  |  |  about this?
|  |  |
|  |  |  The closest I have found is on Zopelabs
|  |  |  (http://www.zopelabs.com/cookbook/1078612026)
|  |  |
|  |  | Sorry wrong recipe try this:
|  |  |
|  |  | http://www.zopelabs.com/cookbook/993850737/1011691351
|  |
|  |  Do I really have to explain why that particular recipe is a bad idea? 
d8)
|  |
|  | Just trying to be helpful. I did say that it was the only thing I can
|  | find and I did not recommend it.
|  | If you would care to share the problems of the recipe on the list then I
|  | am sure all those reading who are new to Zope would benefit;)
| 
|  Since python scripts are web callable and something has to be passed
|  in... The phrase execute arbitrary code is nearly always quickly
|  followed by the phrase remote exploit and lots of sad faces (and
|  then some finger pointing d8)
| 
| 
| If that is the case, aren't all python scripts within Zope potentially 
| exploitable?

Not all python scripts execute arbitrary code *passed to them* 

-- 
Andrew Milton
a...@theinternet.com.au
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread robert rottermann
I think storing dtml in a db is wrong by design.
I do lots of dynamic websites that are generated from external data.
i had no need for a single line of dtml yet ...

robert

Am 18.08.2010 18:38, schrieb Andrew Milton:
 +---[ Garry Saddington ]--
 | Andrew Milton wrote:
 |  +---[ Garry Saddington ]--
 |  | Garry Saddington wrote:
 |  |  Justin Dunsworth wrote:
 |  |  I am currently working on a project where I am storing HTML within a
 |  |  MySQL database to display dynamic pages and content in sequences. I
 |  |  would like to be able to store DTML within the tables as well and be
 |  |  able to call them within the page to display that content. I tried
 |  |  mixing the DTML in with the HTML and it shows the HTML correctly but 
 no
 |  |  DTML.
 |  |
 |  |  Is it possible to even do this? Are there other suggestions on how 
 to go
 |  |  about this?
 |  |
 |  |  The closest I have found is on Zopelabs
 |  |  (http://www.zopelabs.com/cookbook/1078612026)
 |  |
 |  | Sorry wrong recipe try this:
 |  |
 |  | http://www.zopelabs.com/cookbook/993850737/1011691351
 |
 |  Do I really have to explain why that particular recipe is a bad idea? d8)
 |
 | Just trying to be helpful. I did say that it was the only thing I can
 | find and I did not recommend it.
 | If you would care to share the problems of the recipe on the list then I
 | am sure all those reading who are new to Zope would benefit;)

 Since python scripts are web callable and something has to be passed
 in... The phrase execute arbitrary code is nearly always quickly
 followed by the phrase remote exploit and lots of sad faces (and
 then some finger pointing d8)



___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Storing DTML in SQL

2010-08-18 Thread Andrew Milton
+---[ robert rottermann ]--
| I think storing dtml in a db is wrong by design.
| I do lots of dynamic websites that are generated from external data.
| i had no need for a single line of dtml yet ...

I've seen it used a lot in PHP systems like PHP-Nuke, where the widget
code is executed out of strings in the db. Whether it's necessary or
not in this instance is debatable.

-- 
Andrew Milton
a...@theinternet.com.au
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )