October 2013 - Zope-Dev

(optional) CSRF protection in zope.formlib
by Jan-Wijbrand Kolman 21 Nov '13

21 Nov '13

Hi, I've been working on CSRF protection for zope.formlib. I have a "csrfprotection" branch in my zope.formlib fork on github. The changes against the current zope.formlib mainline can be found here: https://github.com/janwijbrand/zope.formlib/compare/csrfprotection When creating form components based on zope.formlib.form.FormBase, one can enable this protection just by setting the attribute ``protected`` to True on the component. This implementation is based on the following assumptions: * We do not want to keep server-side state(!) * An "attacker" that attempts CSRF cannot get to information stored in cookies that are meant for the domain of the (forged) request. * The token stored in the cookie is sufficiently random and long, to be practically "unguessable" by the attacker. * The form submit is deemed valid as long as the token in the cookie is identical to a hidden input value that is part of the form submit. My questions: * Do you find this feature useful enough to be, in principle, included in zope.formlib? * I'd like to kindly request someone to review my branch and provide feedback. The included test cases describe a few more questions and concerns about this implementation. Thank you in advance! kind regards, jw

3 8

[z3c.recipe.i18n] Review of Buildout 2 support
by Sebastien Douche 06 Nov '13

06 Nov '13

Hi, Does anyone can review or merge the PR please? https://github.com/zopefoundation/z3c.recipe.i18n/pull/1 -- Sebastien Douche <sdouche(a)gmail.com> Twitter: @sdouche / G+: +sdouche

2 3

zope-tests - OK: 13
by Zope tests summarizer 31 Oct '13

31 Oct '13

This is the summary for test reports received on the zope-tests list between 2013-10-29 00:00:00 UTC and 2013-10-30 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received ---------------- Successful - zopetoolkit_trunk - Build # 443 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results --------------

1 0

Release new version of zope.publisher and zope.tales
by Sebastien Douche 30 Oct '13

30 Oct '13

Hi, six is missing in the setup file. Thanks. -- Sebastien Douche <sdouche(a)gmail.com> Twitter: @sdouche / G+: +sdouche

1 0

zope-tests - OK: 13
by Zope tests summarizer 30 Oct '13

30 Oct '13

This is the summary for test reports received on the zope-tests list between 2013-10-28 00:00:00 UTC and 2013-10-29 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received ---------------- Successful - zopetoolkit_trunk - Build # 442 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results --------------

1 0

ZTUtils make_query and unicode
by Michael McFadden 29 Oct '13

29 Oct '13

Hello list. I'm having an issue with ZTUtils.Zope.make_query when providing Unicode values. Specifically, We're building search results pagination using CMFPlone.PloneBatch Here's the scenario: The search form is provided a Unicode string. The query is properly written as "?search_text:utf8:ustring=value" The search will return many results. Our searchResults browser view will provide a PloneBatch object, making it very easy to display only, for example, 30 results, then provide page links at the bottom of the page for the next 30 results, or whatever. These links will contain the original query string, but when they are built using make_query(), the result is "?search_text=value" - What follows is Unicode decode errors when the 'next' link is followed - the search_text is marshaled as a 'str', not as a 'unicode' The bottom line is that make_query (actually, complex_marshal & simple_marshal) doesn't seem to apply the ':ustring' type prefix when creating query strings. Kind of important to us at Radio Free Asia, considering we host Cantonese and Korean languages, for example. This was fixed by using sys.setdefaultencoding('utf-8'), but that seems like quite a sledgehammer fix. ---------- I have a proposed fix, branched from the master branch on Github. Diff here: https://github.com/zopefoundation/Zope/pull/4/files Questions: 1. Is "Master" the correct place to fork from? 2. Is is safe - at least to start - to assume utf8 encoding when constructing query strings? 3. Dangerous idea: If simpleMarshal is passed a unicode object that can be represented as ASCII, should we "magically" turn it into a string? I don't like magic, but I also know it's common (and good) practice to use unicode in ASCII-based languages, making this exercise an overkill for those languages. Any comments or criticisms (not to hard please!) would be appreciated! -Flip -- Mike McFadden Radio Free Asia Technical Operations Division 2025 M Street NW Washington DC 20036 USA This e-mail message is intended only for the use of the addressee and may contain information that is privileged and confidential. Any unauthorized dissemination, distribution or copying is strictly prohibited. If you receive this transmission in error, please contact network(a)rfa.org.

1 0

zope-tests - OK: 13
by Zope tests summarizer 29 Oct '13

29 Oct '13

This is the summary for test reports received on the zope-tests list between 2013-10-27 00:00:00 UTC and 2013-10-28 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received ---------------- Successful - zopetoolkit_trunk - Build # 441 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results --------------

1 0

zope-tests - OK: 13
by Zope tests summarizer 28 Oct '13

28 Oct '13

This is the summary for test reports received on the zope-tests list between 2013-10-26 00:00:00 UTC and 2013-10-27 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received ---------------- Successful - zopetoolkit_trunk - Build # 440 winbot / ZODB_dev py_265_win32 winbot / ZODB_dev py_265_win64 winbot / ZODB_dev py_270_win32 winbot / ZODB_dev py_270_win64 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results --------------

1 0

zope-tests - OK: 9
by Zope tests summarizer 26 Oct '13

26 Oct '13

This is the summary for test reports received on the zope-tests list between 2013-10-25 00:00:00 UTC and 2013-10-26 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received ---------------- Successful - zopetoolkit_trunk - Build # 439 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results --------------

1 0

zope-tests - OK: 9
by Zope tests summarizer 25 Oct '13

25 Oct '13

This is the summary for test reports received on the zope-tests list between 2013-10-24 00:00:00 UTC and 2013-10-25 00:00:00 UTC: See the footnotes for test reports of unsuccessful builds. An up-to date view of the builders is also available in our buildbot documentation: http://docs.zope.org/zopetoolkit/process/buildbots.html#the-nightly-builds Reports received ---------------- Successful - zopetoolkit_trunk - Build # 438 winbot / ztk_10 py_254_win32 winbot / ztk_10 py_265_win32 winbot / ztk_10 py_265_win64 winbot / ztk_11 py_254_win32 winbot / ztk_11 py_265_win32 winbot / ztk_11 py_265_win64 winbot / ztk_11 py_270_win32 winbot / ztk_11 py_270_win64 Non-OK results --------------

1 0