Guido van Rossum wrote:
> > Without python 2.2 zope will continue to harbor remotely exploitable
> > zlib-based memory exhaustion attacks. FWIW
> Can you explain?  Where does Zope even use zlib?

dtml-tree for one, more recent versions of ztutils' tree code as well
although its mitigated to an extent by some hardcoded length limits;
those are the only two I know of off the top of my head.  rlimits will
ensure the zope process doesn't hork the rest of the host, but even
better is using the improved decompression objects available in python
2.2 which allow for low memory usage decompression.

Jamie Heilman         
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly, she's 
 not for you." She was cheap, she was stupid and she wouldn't load 
 -- well, not for me, anyway."                          -Holly

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to