Patch acceptance. What about this one?
Fellow Zope addicts, I do both name and IP based virtual hosting from a single Apache instance, proxypassing to various different places within Zope. It works great, with or without Apache working mod_ssl magic! Except..... There's a little issue with Zope logging to be solved. Zope logs the IP of the Apache server, not the client. Oops. I might want to track where all administrative logins are really coming from, for example! So I decided to try searching this list before rolling my sleeves up and fixing it myself. Here's what I found: http://www.mail-archive.com/zope-dev@zope.org/msg07600.html Well it appears that Joseph has already solved it for me. Great, gotta love this community. Probably a cleaner patch than what I could have come up with anyway. And I don't have to spend hours digging through the Zope source to get it done! Except... It was written against 2.4.1 I run 2.4.3. It would have been really nice if it had been included in Zope 2.4.next...... Hmm, has anything else changed that I need to be aware of before applying the patch? Lets go to cvs.zope.org and see: First I look at "Diff for /Zope/ZServer/medusa/http_server.py between version 1.26.4.2 and 1.30.36.1". Changes. Looks like some careful inspection of the code and some testing is in store for me. And more porting work next time I upgrade Zope... and next time. I can't help but wonder why something this simple and useful was not just included in Zope 2.4.next? It would have saved me and all the poor fools like me so much duplicated effort... Just another Zope Admin's 2 cents worth...... Adam
-> Fellow Zope addicts, I'd like to second this. There's nothing more annoying than a "corporate"-sponsered Open Source project ignoring patches from the community... --Derek
Sigh. Is this in the Collector, by any chance? ----- Original Message ----- From: "Derek Simkowiak" <dereks@realloc.net> To: "Adam Manock" <abmanock@earthlink.net> Cc: <zope-dev@zope.org> Sent: Thursday, December 27, 2001 10:46 PM Subject: Re: [Zope-dev] Patch acceptance. What about this one?
-> Fellow Zope addicts,
I'd like to second this. There's nothing more annoying than a "corporate"-sponsered Open Source project ignoring patches from the community...
--Derek
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Derek Simkowiak wrote:
I'd like to second this. There's nothing more annoying than a "corporate"-sponsered Open Source project ignoring patches from the community...
maybe you'd like to re-evaulate that comment given the rest of the thread ;-) Chris
-> > I'd like to second this. There's nothing more annoying than a -> > "corporate"-sponsered Open Source project ignoring patches from the -> > community... -> -> -> maybe you'd like to re-evaulate that comment given the rest of the thread ;-) I'm delighted to see the prompt response. I brought it up because I have seen a couple of projects where a company published a product under an Open Source license, but did not utilize the community. It seems that, when a group of people are getting paid to work on a project, anything patches from outside that company gets ignored because of the "Not Developed Here" anti-pattern. But I do admit that Zope Corp. has done an excellent job of embracing (and supporting!) its community. Thank you! Now, can I get a reponse to my previous question regarding PUT_factory()? :) --Derek
Adam - At Thu, 27 Dec 2001 21:42:10 -0500, Adam Manock wrote:
It was written against 2.4.1 I run 2.4.3. It would have been really nice if it had been included in Zope 2.4.next......
Hmm, has anything else changed that I need to be aware of before applying the patch?
FYI. I have been using this patch as is up and to including Zope 2.4.3 without any troubles.
I can't help but wonder why something this simple and useful was not just included in Zope 2.4.next? It would have saved me and all the poor fools like me so much duplicated effort...
At the time, I hadn't received any feedback (however, I'm not blaming anyone). I also never posted this to the collector before. Should one of us post this? Just to be safe ... You shouldn't use this entire patch unless your server is behind apache or a proxy server and best if protected by a firewall. It could open a potential security leak if you use the "domains" field for authentication and the zope server is not protected by apache. - joe n.
At the time, I hadn't received any feedback (however, I'm not blaming anyone). I also never posted this to the collector before. Should one of us post this?
It would be appreciated, Joseph.
Just to be safe ... You shouldn't use this entire patch unless your server is behind apache or a proxy server and best if protected by a firewall. It could open a potential security leak if you use the "domains" field for authentication and the zope server is not protected by apache.
Is the issue that the X-Forwarded-For header controls the domain setting? - C
At Fri, 28 Dec 2001 00:14:21 -0500, Chris McDonough wrote:
At the time, I hadn't received any feedback (however, I'm not blaming anyone). I also never posted this to the collector before. Should one of us post this?
It would be appreciated, Joseph.
ok ... I can post this afternoon.
Just to be safe ... You shouldn't use this entire patch unless your server is behind apache or a proxy server and best if protected by a firewall. It could open a potential security leak if you use the "domains" field for authentication and the zope server is not protected by apache.
Is the issue that the X-Forwarded-For header controls the domain setting?
yes ... everyone should probably not use this patch right-out-of-the-box. - j
Just to be safe ... You shouldn't use this entire patch unless your server is behind apache or a proxy server and best if protected by a firewall. It could open a potential security leak if you use the "domains" field for authentication and the zope server is not protected by apache.
Is the issue that the X-Forwarded-For header controls the domain setting?
yes ... everyone should probably not use this patch right-out-of-the-box.
Thanks guys! My apologies if I kicked the ball a little harder than was needed to get it rolling. In any case, it looks like a little more work is required before this patch will be ready for mainstream. 'HTTP_X_FORWARDED_FOR' should probably be ignored unless Zope is explicitly told to look at it. A list of allowed proxiers, perhaps set as a startup parameter? Or a switch to turn it on (off by default) and a warning about restricting where direct connections to Zope are allowed from? In the meantime, a couple of restrictive firewall rules on the my Zope box will prevent malicious users from connecting directly to Zope with fake HTTP_X_FORWARDED_FOR. Adam ps. Soon as I get it all working perfectly I'll be putting everything I know about using Zope with mod_proxy in a doc for zope.org. (Yes, yet another match when you search for "proxypass", hopefully the last needed for while.)
Ok .. here's the collector url: http://collector.zope.org/Zope/108 - j At Fri, 28 Dec 2001 00:14:21 -0500, Chris McDonough wrote:
At the time, I hadn't received any feedback (however, I'm not blaming anyone). I also never posted this to the collector before. Should one of us post this?
It would be appreciated, Joseph.
Thanks much!! Joseph Wayne Norton wrote:
Ok .. here's the collector url:
http://collector.zope.org/Zope/108
- j
At Fri, 28 Dec 2001 00:14:21 -0500, Chris McDonough wrote:
At the time, I hadn't received any feedback (however, I'm not blaming anyone). I also never posted this to the collector before. Should one of us post this?
It would be appreciated, Joseph.
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
-- Chris McDonough Zope Corporation http://www.zope.org http://www.zope.com "Killing hundreds of birds with thousands of stones"
participants (5)
-
Adam Manock -
Chris McDonough -
Chris Withers -
Derek Simkowiak -
Joseph Wayne Norton