Hello all, Zope 2.2.0 alpha 1 has been released - you can download it from the usual place on Zope.org: http://www.zope.org/Products/Zope/2.2.0a1/ *Note that for alpha releases we package only a source release and a win32 binary release since win32 users generally don't have a compiler readily available.* This release contains the new changes to the Zope security model to protect against the server-side trojan issue: http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan It also contains the new help system, a built-in Zope tutorial and many bug fixes. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0a1/CHANGES.txt) Note: sites that allow untrusted users to edit DTML or other executable content will need to set object ownership appropriately after applying the new release for the new security rules to protect you. See the document "upgrading to Zope 2.2" for this and other important upgrade information: http://www.zope.org/Products/Zope/2.2.0a1/upgrading_to_220 Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
Brian Lloyd wrote:
This release contains the new changes to the Zope security model to protect against the server-side trojan issue:
http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan
Hmm. Let's say an object is owned by user Joe. I export the object and reimport it in a different Zope installation, where Joe doesn't exist. Who owns the object? nobody? -- Itamar S.T. itamar@maxnm.com
On Tue, 16 May 2000, Itamar Shtull-Trauring wrote:
Brian Lloyd wrote:
This release contains the new changes to the Zope security model to protect against the server-side trojan issue:
http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan
Hmm. Let's say an object is owned by user Joe. I export the object and reimport it in a different Zope installation, where Joe doesn't exist. Who owns the object? nobody?
Those who do not understand Unix are condemned to reinvent it, poorly. -- Henry Spencer :))) Zope is gonig more and more to unix-like security mechanisms (owner, setuid, etc). In UNIX, if you untar an archive, who owns the files? You! In Zope, the owner will be that person who did import. Just so simple. (Actually, I knows nothing about Zope 2.2; but I know UNIX, so I made the conclusion :) Oleg. (All opinions are mine and not of my employer) ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
Oleg Broytmann wrote:
Zope is gonig more and more to unix-like security mechanisms (owner, setuid, etc).
Except that when you run a binary, it has an intersection of your permissions and the owner's creations. -- Itamar S.T. itamar@maxnm.com
participants (3)
-
Brian Lloyd -
Itamar Shtull-Trauring -
Oleg Broytmann