On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote: > > I am about to land some big changes in the way DTML deals with data > > taken from the REQUEST object when accessed implicitly, in both the Zope > > Trunk and the Zope 2.5 branch. > > In my opinion this change is completely unacceptable at this late stage of > the release cycle. As you said: > > > These changes could potentially break existing Zope sites. > > The existing behavior might be flawed, but it is a flaw we have all lived > with for a long time. In my opinion this needs: > > 1. To be deferred until the 2.7 cycle. > > 2. A detailed fishbowl proposal.
Note that the problems fixed are potential security problems. Although we cannot fix every site out there for sure, the fixes certainly dramatically reduce the risks. The risk for breakage is very small really, and breakage will generally only occur when someone is trying to exploit the weakness, not in normal operation of the site. I'll leave any decisions on wether or not this stays in the current release cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation until next week. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Zope Corporation http://www.zope.com/ | Creators of Zope http://www.zope.org/ --------------------------------------------- _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )