? Extensions ? 214.patch ? lib/python/Products/SQLSession ? lib/python/Products/SQLProperties ? lib/python/Products/ZOracleDA ? lib/python/Products/ZPyGreSQLDA ? lib/python/Products/Workflow ? lib/python/Products/WorldPilot.not ? lib/python/Products/ZCatalog/catalogSearch.dtml ? lib/python/Products/ZCatalog/catalogSearchResults.dtml ? lib/python/Products/ZCatalog/Zc. ? lib/python/Products/ZCatalog/p ? lib/python/TreeDisplay/TreeTag.py.current Index: doc/CHANGES.txt =================================================================== RCS file: /cvs-repository/Zope2/doc/CHANGES.txt,v retrieving revision 1.188.4.11 retrieving revision 1.188.4.13 diff -u -r1.188.4.11 -r1.188.4.13 --- CHANGES.txt 2000/01/24 19:38:12 1.188.4.11 +++ CHANGES.txt 2000/02/09 20:35:27 1.188.4.13 @@ -62,6 +62,14 @@ Releases + Zope 2.1.4 + + Bugs Fixed + + - Removed the "feature" that allowed the REQUEST object to be + traversed through the web. While useful for debugging, this + could be a security issue. + Zope 2.1.3 Bugs Fixed @@ -160,19 +168,19 @@ - There were a number of problems with the load-site utility (utilities/load_site.py): - - A recent change caused HTML files to have their headers and - footers replaced with var tags for standard headers and - footers. While this is sometimes very useful, it is - sometimes disastrous. This feature is now enabled with the - -D option. - - - Handling of files with a '.dtml' extension was broken. These - are now handled correctly. Files with '.dtml' suffixes now - get uploaded as methods. - - - A workaround for old sites that had a bug in Document (aka - DTMLMethod) upload has been disabled. This workaround is now - enabled when the -9 option is used. + o A recent change caused HTML files to have their headers and + footers replaced with var tags for standard headers and + footers. While this is sometimes very useful, it is + sometimes disastrous. This feature is now enabled with the + -D option. + + o Handling of files with a '.dtml' extension was broken. These + are now handled correctly. Files with '.dtml' suffixes now + get uploaded as methods. + + o A workaround for old sites that had a bug in Document (aka + DTMLMethod) upload has been disabled. This workaround is now + enabled when the -9 option is used. The following bug fixes were accidentially excluded from 2.1.0: Index: lib/python/ZPublisher/BaseRequest.py =================================================================== RCS file: /cvs-repository/Zope2/lib/python/ZPublisher/BaseRequest.py,v retrieving revision 1.16 retrieving revision 1.16.4.1 diff -u -r1.16 -r1.16.4.1 --- BaseRequest.py 1999/08/17 18:48:31 1.16 +++ BaseRequest.py 2000/02/09 20:35:42 1.16.4.1 @@ -82,7 +82,7 @@ # attributions are listed in the accompanying credits file. # ############################################################################## -__version__='$Revision: 1.16 $'[11:-2] +__version__='$Revision: 1.16.4.1 $'[11:-2] from string import join, split, find, rfind, lower, upper from urllib import quote @@ -226,6 +226,10 @@ request_get=request.get if response is None: response=self.response debug_mode=response.debug_mode + + # Make sure that REQUEST cannot be traversed. + if find(path, 'REQUEST') >= 0: + return response.notFoundError(path) if path[:1] != '/': path='/'+path if path[-1:] != '/': path=path+'/'