headers
Joachim Werner | 1 Aug 2002 10:21
Picon

Re: Zope hangs, with processes being idle ... (rather urgent problem)

>  > I have a Zope 2.5.1 using ZEO on Linux, with Apache as proxy server.
The two
>  > ZEO clients run fine for a couple of hours, and then suddenly one of
them
>  > stops responding. It's the type of Zope hangs when all processes are
fine,
>  > but ZServer just doesn't respond (load is very low, with the CPU 90%
idle,
>  > so it is not a performance issue or recursion problem).
>  >
>  > There is no error before this situation happens. The processes just
don't
>  > respond any more. The second ZEO keeps running, but that machine also
hangs
>  > from time to time, so I guess ZEO is not the problem, and the hardware
or
>  > any Linux-specific problems aren't either.
>  >
>  > When the ZServer hangs, I can not access it directly, so it is no
problem
>  > with the Apache.
>  >
>  > You see, I don't have any clue on what is happening here. The servers
worked
>  > fine for months, and I don't know what specific change could have
caused the
>  > problem.

>  > How can such a situation be debugged?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gilles Lenfant | 1 Aug 2002 13:49
Favicon

Removing the acquisition wrapper from an object (Python script)

Hi,

aq_base(someObject) doesn't work in a python script. I need to get an object without its acquisition wrapper.

Any hint ?

Many thanks in advance

--Gilles

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )
Permalink | Reply | 12 comments |
headers
Toby Dickenson | 1 Aug 2002 13:46

Re: Removing the acquisition wrapper from an object (Python script)

On Thursday 01 Aug 2002 12:49 pm, Gilles Lenfant wrote:
> Hi,
>
> aq_base(someObject) doesn't work in a python script. I need to get an
> object without its acquisition wrapper.

It cant be done in untrusted code, because it would let you strip away its 
security settings.

You could write an external method, or similar trusted code.

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )
Permalink | Reply | 11 comments |
headers
Florent Guillaume | 1 Aug 2002 15:27
Gravatar

Re: Refer to zope attribute or object in source

A lot of people would like to see these things cleaned up, but
unfortunately unless it becomes a pressing need for someone it doesn't
get done (for lack of time).

If you have some experience with that, and have ideas on how to fix
things (and check that they work ok), please do write some patches. Many
of us will be grateful to you.

Florent

In article <20020728030851.29483.qmail <at> web20706.mail.yahoo.com> you write:
> In PropertySheets.py of zope/lib/python/OFS
> 
> def xml_escape(v):
>    .....
>    return unicode(v, "latin-1").encode("utf-8")
> 
> Are there anyway to substitute the "latin-1" with an
> attribute of the zope site's attribute say:
> "zope-charset" which a site maintainer can modify
> through the web?
> 
> I raise this question because the current-cvs version
> of zope is turned into unicode, but all the source
> everywhere is assumed that the data input is "latin-1"
> but I am very sure that it will not always the case.
> Some sites simply don't work in that assumption,
> turning many sites using zope stop upgrade or stop
> using zope. This will seriously hurt the zope
> community. The initial act to make zope understand
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gilles Lenfant | 1 Aug 2002 15:44
Favicon

Re: Removing the acquisition wrapper from an object (Python script)

----- Original Message ----- 
From: "Toby Dickenson" <tdickenson <at> geminidataloggers.com>
To: "Gilles Lenfant" <gilles <at> pilotsystems.net>; <zope-dev <at> zope.org>
Sent: Thursday, August 01, 2002 1:46 PM
Subject: Re: [Zope-dev] Removing the acquisition wrapper from an object (Python script)

On Thursday 01 Aug 2002 12:49 pm, Gilles Lenfant wrote:
>> Hi,
>>
>> aq_base(someObject) doesn't work in a python script. I need to get an
>> object without its acquisition wrapper.
>
> It cant be done in untrusted code, because it would let you strip away its 
> security settings.

> You could write an external method, or similar trusted code.

Thanks Toby

I can't understand that reason because it's also easy to strip away an object's security settings in an
untrusted python script that has a Manager proxy.
Well, I'm gonna make my 2 or 3 lines External method :(

Cheers

--Gilles

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
(Continue reading)

Permalink | Reply | 10 comments |
headers
Toby Dickenson | 1 Aug 2002 15:51

Re: Removing the acquisition wrapper from an object (Python script)

On Thursday 01 Aug 2002 2:44 pm, Gilles Lenfant wrote:

> I can't understand that reason because it's also easy to strip away an
> object's security settings in an untrusted python script that has a Manager
> proxy. Well, I'm gonna make my 2 or 3 lines External method :(

If thats true, its a bug. a serious one too. Please file an example in the 
collector

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )
Permalink | Reply | 9 comments |
headers
Martijn Pieters | 1 Aug 2002 16:46

DTML and REQUEST data changes about to be checked in

Hi folks,

I am about to land some big changes in the way DTML deals with data taken
from the REQUEST object when accessed implicitly, in both the Zope Trunk
and the Zope 2.5 branch. These changes could potentially break existing
Zope sites.

Without these changes, Zope is somewhat vulnerable to cross-scripting
attacks, where a well-crafted URL can cause a Zope server to serve out
arbitrary HTML. Because DTML does not automatically html quote any data,
and can implicitly get information out of the REQUEST even when it was not
the intention of the template author, it is easy to cause REQUEST data to
be rendered as HTML on a page.

My changes cause the REQUEST to keep track of suspected strings, where
suspect is defined as any string with a '<'. These are marked as tainted.
Any normal, explicit access to the REQUEST will still give you normal
values. However, as soon as a DTML template requests a variable from the
general namespace, and this variable is then satisfied from the REQUEST,
the value of this variable could potentially be a TaintedString object
instead of the original string. When rendering such a value, DTML will
automatically HTML quote it if not already done so explicitly. All DTML
string operations dealing with TaintedString objects are careful to retain
the TaintedString status.

I also fixed all exceptions raised in Zope that I could find, where
untrusted REQUEST data was used in the exception message; these exceptions
now html quote the data. I also made sure that the REQUEST calculated
variables URLx and BASEx and such were not shadowed by untrusted form
variables of the same name.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gilles Lenfant | 1 Aug 2002 17:50
Favicon

Re: Removing the acquisition wrapper from an object (Python script)

----- Original Message ----- 
From: "Toby Dickenson" <tdickenson <at> geminidataloggers.com>
To: "Gilles Lenfant" <gilles <at> pilotsystems.net>; <zope-dev <at> zope.org>
Sent: Thursday, August 01, 2002 3:51 PM
Subject: Re: [Zope-dev] Removing the acquisition wrapper from an object (Python script)

On Thursday 01 Aug 2002 2:44 pm, Gilles Lenfant wrote:

>> I can't understand that reason because it's also easy to strip away an
>> object's security settings in an untrusted python script that has a Manager
>> proxy. Well, I'm gonna make my 2 or 3 lines External method :(

>If thats true, its a bug. a serious one too. Please file an example in the 
>collector

Toby,

It's definitively *NOT* a bug but a feature that's completely documented.
Most Zope objects inherit of RoleManager class. This class has (among others) this method :

manage_permission(self, permission_to_manage, roles=[], acquire=0, REQUEST=None)

Just use this method in an "untrusted" python script on any Zope object, add to it Manager proxy, and you're done.

--Gilles

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Continue reading)

Permalink | Reply | 8 comments |
headers
Martijn Pieters | 1 Aug 2002 18:08

Re: DTML and REQUEST data changes about to be checked in

On Thu, Aug 01, 2002 at 10:46:44AM -0400, Martijn Pieters wrote:
> I am about to land some big changes in the way DTML deals with data taken
> from the REQUEST object when accessed implicitly, in both the Zope Trunk
> and the Zope 2.5 branch. These changes could potentially break existing
> Zope sites.

It's in. Let the testing begin!

--

-- 
Martijn Pieters
| Software Engineer  mailto:mj <at> zope.com
| Zope Corporation   http://www.zope.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )
Permalink | Reply | 0 comments |
headers
Jeffrey P Shell | 1 Aug 2002 18:29

Re: Re: DTML and REQUEST data changes about to be checked in

On 8/1/02 10:08 AM, "Martijn Pieters" <mj <at> zope.com> wrote:

> On Thu, Aug 01, 2002 at 10:46:44AM -0400, Martijn Pieters wrote:
>> I am about to land some big changes in the way DTML deals with data taken
>> from the REQUEST object when accessed implicitly, in both the Zope Trunk
>> and the Zope 2.5 branch. These changes could potentially break existing
>> Zope sites.
> 
> It's in. Let the testing begin!

Hopefully I'll get a chance to test it with some of our 2.5 sites - I have a
small worry that old code on small sites that we don't have much worry about
will break if this is put into a 2.5.2 or later release.  Could there be a
way to disable this "feature" in 2.5 via a z2/environment variable or some
other configuration setting, but have it be automatic in 2.6?  "Potential
code breakage" and "point point release" leave me a little worried about
maintaining 2.5 sites.

It may not be an issue - I have to digest the changes in more depth that
I've had (or currently have) time for, but that's the thought that crossed
my mind earlier.

--

-- 
Jeffrey P Shell 
www.cuemedia.com

_______________________________________________
Zope-Dev maillist  -  Zope-Dev <at> zope.org
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Continue reading)

Permalink | Reply | 0 comments |

Gmane