Shane Hathaway wrote:

My opinion on this is a little different. It's quite easy for anyone to make mischief on any Zope server that lets people make even minor changes to the site, such as giving feedback, posting a discussion item, etc. All you have to do is include a Zope-Version cookie in the request and your changes will place a lock on any objects that the request touches. Zope doesn't even check the validity of the Zope-Version cookie. Anyone who is not a ZODB expert would have a hard time bringing the site back to sanity.

This was my fear, and it's pretty shocking.

Maybe Oliver should do just such a thing on both and, or maybe to prove a point and then this issue will get the attention is deserves ;-)
(not please, I'm not a ZODB expert and I don't haev the expertise to fix this bug :-S)

I think 2.6 ought to fix this by disabling recognition of the Zope-Version cookie and disabling the creation of Version objects, with an option to re-enable.

Yes indeed!


Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists - )

Reply via email to