I would be in favor of making the Examples "opt-in" like the Zope tutorial. It seems silly to have it in evey ZODB by default. Make people add it if they want it. -Casey On Monday 23 June 2003 05:12 am, Jamie Heilman wrote:
seb bacon wrote:
No. Just go ahead and make the changes. It would be instructive for others reading the examples to add a comment or two explaining the rationale behind the extra checking code.
'k I can do that
The file upload vulnerability was fixed in version 1.3 of Examples.zexp, though. The reason it's still turning up in 2.6.x versions is probably due to upgrades. Therefore I suppose additionally there should be a patch which examines the ZODB on startup and prints a warning if an old Examples folder is present.
You know, ironically, I don't think this "advisory" even covers that hole. There's obvious DoS potential in the guest book and such, but thats easily limited without degrading the value of the example. Anyway, I'll scrape over the examples and see what I can clean up.
-- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )