It strikes me as strange that you can create versions without creating version objects. I found this out whilst playing with the versioned FTP How-To: http://www.zope.org/Members/htrd/howto/VersionFTPServer Now because I got the name of the version wrong in z2.py (I missed off the leading /!) it created a seperate version. It seemed to work fine, it's just that there was no associated version object. So I couldn't actually do anything with the version through the management interface, except save or discard changes in Control Panel/Manage Versions. And, thinking about it, there's no way I could delete the version object (that is if one was ever created anywhere...) Is this behaviour as it is supposed to be? If it is, then [1194] in the collector is definitely a bug, and the versions in that list shouldn't have HREF's at all, because there might not even be an object to link to. If versions should have a version object associated with them, then accidental version creation through things like FTP/XML-RPC/etc needs to be prevented. Also, the version objects returned by db.versions() in version_info in ApplicationManager.py should implement absolute_url(). That would solve the problem in bug [1194]. Any comments? Any ideas? I'm chucking this into the collector as well, just so it doesn't get lost... Chris
Chris Withers wrote:
It strikes me as strange that you can create versions without creating version objects.
It's really easy, too - just send a http command to zope with a cookie called Version set to whatever name you wan't to call the version, and it'll show up in the Control-Panel. And do some wierd and possiebly evil stuff to your ZODB. -- Itamar S.T. itamars@ibm.net
Okay, now I'm worried... Good thing I chucked it into the collector by the sounds of it ;-) cheers, Chris Itamar Shtull-Trauring wrote:
Chris Withers wrote:
It strikes me as strange that you can create versions without creating version objects.
It's really easy, too - just send a http command to zope with a cookie called Version set to whatever name you wan't to call the version, and it'll show up in the Control-Panel. And do some wierd and possiebly evil stuff to your ZODB.
-- Itamar S.T. itamars@ibm.net
Itamar Shtull-Trauring wrote:
Chris Withers wrote:
It strikes me as strange that you can create versions without creating version objects.
It's really easy, too - just send a http command to zope with a cookie called Version set to whatever name you wan't to call the version, and it'll show up in the Control-Panel. And do some wierd and possiebly evil stuff to your ZODB.
Could one of you guys details this on the SecurityWiki? http://www.zope.org/Members/jim/ZopeSecurity/FrontPage -Michel
Could one of you guys details this on the SecurityWiki?
I'll do it in a minute. Not sure why it's a security issue though. It's just a plain bug. If a version object doesn't exist, then a cookie (whether generated through the FTP server or through an HTTP post (for example, from a cached management interface page) should be ignored, or more likely, generate an error with the option "would you like to stop working in this non-existent version?" This issue is in the following bugs: http://classic.zope.org:8080/Collector/1194/view http://classic.zope.org:8080/Collector/1195/view cheers, Chris
participants (3)
-
Chris Withers -
Itamar Shtull-Trauring -
Michel Pelletier