Guido van Rossum wrote:
> > Without python 2.2 zope will continue to harbor remotely exploitable
> > zlib-based memory exhaustion attacks. FWIW
> 
> Can you explain?  Where does Zope even use zlib?

dtml-tree for one, more recent versions of ztutils' tree code as well
although its mitigated to an extent by some hardcoded length limits;
those are the only two I know of off the top of my head.  rlimits will
ensure the zope process doesn't hork the rest of the host, but even
better is using the improved decompression objects available in python
2.2 which allow for low memory usage decompression.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly, she's 
 not for you." She was cheap, she was stupid and she wouldn't load 
 -- well, not for me, anyway."                          -Holly

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to