On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote:
> On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > > I am about to land some big changes in the way DTML deals with data
> > > taken from the REQUEST object when accessed implicitly, in both the
> > > Zope Trunk and the Zope 2.5 branch.
> >
> > In my opinion this change is completely unacceptable at this late stage
> > of
> >
> > the release cycle. As you said:
> > > These changes could potentially break existing Zope sites.
> >
> > The existing behavior might be flawed, but it is a flaw we have all lived
> > with for a long time. In my opinion this needs:
> >
> > 1. To be deferred until the 2.7 cycle.
> >
> > 2. A detailed fishbowl proposal.
> Note that the problems fixed are potential security problems. Although we
> cannot fix every site out there for sure, the fixes certainly dramatically
> reduce the risks.

Im not going to argue that this feature is bad - because I dont believe that 
to be true. I suspect the feature is not exactly quite right - but those 
issues can easily be resolved over a full release cycle.

> The risk for breakage is very small really

Your choice of '<' and html_quote suggests that my dtml code which generates 
javascript and vbscript carries a higher risk than dtml which generates html.

>, and breakage
> will generally only occur when someone is trying to exploit the weakness,
> not in normal operation of the site.

The fact that your change uses html_quote to 'fix' the problem rather than 
sounding 'hacker alert' alarm bells suggests to me that you dont really 
believe that ;-)

> I'll leave any decisions on wether or not this stays in the current release
> cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation
> until next week.

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to