File uploads: filename with ';'
Hello All! It seems that Zope does not handle names of uploaded files correctly when it include ';'. -- Vladimir
Hi, Am Di, den 26.10.2004 schrieb Vova um 20:10:
Hello All! It seems that Zope does not handle names of uploaded files correctly when it include ';'.
What ever "correctly" means ;) Surprice: Zope does not care about names of uploaded files (In the Request) However if you create File objects via DAV or FTP directly in a Folder, Zope uses the name information to guess best to get an id for the object. It tries hard to not end up having an illegal id here. Regards Tino
Tino Wildenhain wrote:
Hi,
Am Di, den 26.10.2004 schrieb Vova um 20:10:
Hello All! It seems that Zope does not handle names of uploaded files correctly when it include ';'.
What ever "correctly" means ;) Surprice: Zope does not care about names of uploaded files (In the Request) Simple script:
return context.REQUEST.file.filename Now let's create the form for it and upload file "a;b". This script will return '"a' what is obviously not correct. Filename is used, for example, as ID for newly created File object. A lot of more realistic examples can be found in Plone.
However if you create File objects via DAV or FTP directly in a Folder, Zope uses the name information to guess best to get an id for the object. It tries hard to not end up having an illegal id here. I've not tried FTP. May be it's worth trying.
Regards Tino
-- Vladimir
Hi, Am Mi, den 27.10.2004 schrieb Vova um 0:45:
Tino Wildenhain wrote:
Hi,
Am Di, den 26.10.2004 schrieb Vova um 20:10:
Hello All! It seems that Zope does not handle names of uploaded files correctly when it include ';'.
What ever "correctly" means ;) Surprice: Zope does not care about names of uploaded files (In the Request) Simple script:
return context.REQUEST.file.filename
Now let's create the form for it and upload file "a;b". This script will return '"a' what is obviously not correct. Filename is used, for example, as ID for newly created File object. A lot of more realistic examples can be found in Plone.
whatever Zope gives you as "filename" here comes from the browser. So either the browser strips your filename with ; in it (see with tcpflow or shanes tcpwatch) or the browser doesnt do the quoting right.
However if you create File objects via DAV or FTP directly in a Folder, Zope uses the name information to guess best to get an id for the object. It tries hard to not end up having an illegal id here. I've not tried FTP. May be it's worth trying.
Maybe it makes a difference in the filename handling of your client. For Zope it makes not much of a difference. Regards Tino
Tino Wildenhain wrote:
Simple script:
return context.REQUEST.file.filename
Now let's create the form for it and upload file "a;b". This script will return '"a' what is obviously not correct. Filename is used, for example, as ID for newly created File object. A lot of more realistic examples can be found in Plone.
whatever Zope gives you as "filename" here comes from the browser. So either the browser strips your filename with ; in it (see with tcpflow or shanes tcpwatch) or the browser doesnt do the quoting right. No, this is not browser mistake. This is part of output from netcat -l -p 8080: Content-Disposition: form-data; name="file"; filename="a;b" Content-Type: application/x-zerosize
So filename is sent correctly as 'a;b'. But Zope says that filename is '"a'. -- Vladimir
hi, On Wed, 2004-10-27 at 10:20, Vova wrote:
Tino Wildenhain wrote:
Simple script:
return context.REQUEST.file.filename
Now let's create the form for it and upload file "a;b". This script will return '"a' what is obviously not correct. Filename is used, for example, as ID for newly created File object. A lot of more realistic examples can be found in Plone.
whatever Zope gives you as "filename" here comes from the browser. So either the browser strips your filename with ; in it (see with tcpflow or shanes tcpwatch) or the browser doesnt do the quoting right. No, this is not browser mistake. This is part of output from netcat -l -p 8080: Content-Disposition: form-data; name="file"; filename="a;b" Content-Type: application/x-zerosize
So filename is sent correctly as 'a;b'. But Zope says that filename is '"a'.
cool :-) We come close. Then you have to file a bug for the cgi.py which does the hard work of reading and parsing. Looks like an insufficience in handling of the " " quoting while parsing header lines. Regards Tino
Tino Wildenhain wrote:
So filename is sent correctly as 'a;b'. But Zope says that filename is '"a'.
cool :-) We come close. Then you have to file a bug for the cgi.py which does the hard work of reading and parsing. Looks like an insufficience in handling of the " " quoting while parsing header lines. You are right. Bug is in cgi.py at line 325: plist = map(lambda x: x.strip(), line.split(';'))
One question: is it right that browser sends 'a;b' as '"a;b"' ? What RFC says ? -- Vladimir
Hi, On Wed, 2004-10-27 at 12:55, Vova wrote:
Tino Wildenhain wrote:
So filename is sent correctly as 'a;b'. But Zope says that filename is '"a'.
cool :-) We come close. Then you have to file a bug for the cgi.py which does the hard work of reading and parsing. Looks like an insufficience in handling of the " " quoting while parsing header lines. You are right. Bug is in cgi.py at line 325: plist = map(lambda x: x.strip(), line.split(';'))
One question: is it right that browser sends 'a;b' as '"a;b"' ? What RFC
rfc822 I believe. But the quoting looks right. Otherwise the ; in the name would have to be handled as delimiter like cgi.py does in the case because it ignores the Quoting. I wonder how the other mime handling modules in python do this: rfc822, mimetools, email Regards Tino
Tino Wildenhain wrote:
You are right. Bug is in cgi.py at line 325: plist = map(lambda x: x.strip(), line.split(';'))
One question: is it right that browser sends 'a;b' as '"a;b"' ? What RFC
rfc822 I believe. But the quoting looks right. Otherwise the ; in the name would have to be handled as delimiter like cgi.py does in the case because it ignores the Quoting.
I wonder how the other mime handling modules in python do this: rfc822, mimetools, email email seems to handle it correctly, but it doesn't handle "=" ;-) It's very similar bug, it's strange that one of it fixed and the other don't. See email/Message.py line 61 function _parseparam. It mimetools this is not fixed, but noted in comment (mimetools.py:47). Where could I post this bug ?
-- Vladimir
On Wed, 27 Oct 2004 15:31:26 +0400, Vova <kv11111@mail.ru> wrote:
email seems to handle it correctly, but it doesn't handle "=" ;-) It's very similar bug, it's strange that one of it fixed and the other don't. See email/Message.py line 61 function _parseparam. It mimetools this is not fixed, but noted in comment (mimetools.py:47). Where could I post this bug ?
Please post this in the Python bug tracker on SourceForge: http://sourceforge.net/tracker/?atid=105470&group_id=5470&func=browse -Fred -- Fred L. Drake, Jr. <fdrake at gmail.com> Zope Corporation
Hello, I would like to make a site map for my plone site (with Zope 2.7.2 and Plone 2.0.4) with the dtml-tree function... When I tried my code, it's successful with the administrator count but it raise an exception "An error occurred. Error type: Unauthorized Error value: You are not allowed to access 'Documentation' in this context", although I use the "skip unauthorized" in the declaration of the dtml-tree tag. I also try to use skip unauthorized=1 with no more success. Is someone can help me ? Sorry for my English Stéphane
This is my bit of dtml that produces a site map: <p><a href="&dtml-URL0;?expand_all=1">Exapand All</a> | <a href="&dtml-URL0;?collapse_all=1">Collapse All</a> </p> <dtml-tree branches="siteMapSkip" skip_unauthorized nowrap="1" sort="title_or_id"> <a href="&dtml-absolute_url;"><dtml-var title_or_id></a> </dtml-tree> and siteMapSkip is a Python script that allows me to set a Property in a folder that I do not want seen in the site map: """ Check for a skip property in folders that should not appear in the Site Tree Examples include imagesr, imagest """ results=[] for object in context.objectValues(['Folder']): if object.hasProperty('siteTreeSkip'): pass else: results.append(object) return results An anonymous user can produce a complete site map, including showing folders within folders where login is required. However, if an anonymous user clicks the link to a protected folder the login sequence is triggered. I did this a long time ago and can't remember why it works. I guess because I am calling my own function on each branch. Cliff Stéphane Peillon wrote:
Hello,
I would like to make a site map for my plone site (with Zope 2.7.2 and Plone 2.0.4) with the dtml-tree function... When I tried my code, it's successful with the administrator count but it raise an exception "An error occurred. Error type: Unauthorized Error value: You are not allowed to access 'Documentation' in this context", although I use the "skip unauthorized" in the declaration of the dtml-tree tag. I also try to use skip unauthorized=1 with no more success.
Is someone can help me ?
Sorry for my English Stéphane
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Stéphane Peillon wrote:
Hello,
I would like to make a site map for my plone site (with Zope 2.7.2 and Plone 2.0.4) with the dtml-tree function... When I tried my code, it's successful with the administrator count but it raise an exception "An error occurred. Error type: Unauthorized Error value: You are not allowed to access 'Documentation' in this context", although I use the "skip unauthorized" in the declaration of the dtml-tree tag. I also try to use skip unauthorized=1 with no more success.
Is someone can help me ?
I would look at the $ZOPE_HOME/lib/python/ZTUtils/Tree.py for an alternative to using the <dtml-tree> tag, whose semantics / quirks I can't recall any longer. BTW, next time, please don't "hijack" an existing thread to ask an unrelated question; instead, please start a new thread (i.e., rather than replying to a message, compose a new one to the list). Tres. -- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
Fred Drake wrote:
On Wed, 27 Oct 2004 15:31:26 +0400, Vova <kv11111@mail.ru> wrote:
email seems to handle it correctly, but it doesn't handle "=" ;-) It's very similar bug, it's strange that one of it fixed and the other don't. See email/Message.py line 61 function _parseparam. It mimetools this is not fixed, but noted in comment (mimetools.py:47). Where could I post this bug ?
Please post this in the Python bug tracker on SourceForge:
http://sourceforge.net/tracker/?atid=105470&group_id=5470&func=browse I've posted patch to fix it to http://sourceforge.net/tracker/?group_id=5470&atid=305470
-- Vladimir
On Wed, 27 Oct 2004 18:03:04 +0400, Vova <kv11111@mail.ru> wrote:
I've posted patch to fix it to http://sourceforge.net/tracker/?group_id=5470&atid=305470
Thanks! I've assigned it to myself. -Fred -- Fred L. Drake, Jr. <fdrake at gmail.com> Zope Corporation
It works fine for me using 2.7.3, but my nc -l -p 8080 outputs differently than yours--my browser url-encodes the ';' thusly: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.2) Gecko/20040803 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost:8080/sandbox/test_zpt Cookie: dtpref_rows="20"; ta_pref_cols="140"; ta_pref_rows="30"; dtpref_cols="100%"; tree-s="eJzT0MgpMOQKVneEA1dbda4CI67EkgJjLj0AeGcHew" Authorization: Basic cHNjb3R0ZHY6ZHJiZWFnbDM= Content-Type: application/x-www-form-urlencoded Content-Length: 14 filename=a%3Bb Vova wrote:
Hello All! It seems that Zope does not handle names of uploaded files correctly when it include ';'.
P. Scott DeVos wrote:
It works fine for me using 2.7.3, but my nc -l -p 8080 outputs differently than yours--my browser url-encodes the ';' thusly:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.2) Gecko/20040803 Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost:8080/sandbox/test_zpt Cookie: dtpref_rows="20"; ta_pref_cols="140"; ta_pref_rows="30"; dtpref_cols="100%"; tree-s="eJzT0MgpMOQKVneEA1dbda4CI67EkgJjLj0AeGcHew" Authorization: Basic cHNjb3R0ZHY6ZHJiZWFnbDM= Content-Type: application/x-www-form-urlencoded ^^^^^^^^^^^^^^^^^^^^^ Content-Length: 14
filename=a%3Bb
When you creating form for file upload you normally sets form content type to "multipart/form-data": <form enctype="multipart/form-data" action="http://localhost:8000/" method="POST"> Try it. You will see something like this: POST / HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; Linux) (KHTML, like Gecko) Pragma: no-cache Cache-control: no-cache Accept: text/html, image/jpeg, image/png, text/*, image/*, */* Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: koi8-r, utf-8;q=0.5, *;q=0.5 Accept-Language: en Host: localhost:8000 Content-Type: multipart/form-data; boundary=----------bnFccLZora1CrXZK1Fgi5hIkkjdNJhjtVzT5I2u7atKPPtkO6O4B3Nu Content-Length: 243 ------------bnFccLZora1CrXZK1Fgi5hIkkjdNJhjtVzT5I2u7atKPPtkO6O4B3Nu Content-Disposition: form-data; name="file"; filename="a;b" Content-Type: application/x-zerosize ------------bnFccLZora1CrXZK1Fgi5hIkkjdNJhjtVzT5I2u7atKPPtkO6O4B3Nu-- -- Vladimir
Vova wrote:
P. Scott DeVos wrote:
It works fine for me using 2.7.3, but my nc -l -p 8080 outputs differently than yours--my browser url-encodes the ';' thusly:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.2) Gecko/20040803 Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost:8080/sandbox/test_zpt Cookie: dtpref_rows="20"; ta_pref_cols="140"; ta_pref_rows="30"; dtpref_cols="100%"; tree-s="eJzT0MgpMOQKVneEA1dbda4CI67EkgJjLj0AeGcHew" Authorization: Basic cHNjb3R0ZHY6ZHJiZWFnbDM= Content-Type: application/x-www-form-urlencoded
^^^^^^^^^^^^^^^^^^^^^
Content-Length: 14
filename=a%3Bb
When you creating form for file upload you normally sets form content type to "multipart/form-data": <form enctype="multipart/form-data" action="http://localhost:8000/" method="POST">
Try it. You will see something like this:
Ah yes, I thought I had done so. I must have forgotten to click the "Save Changes" button. It performs exactly as you say.
participants (7)
-
Cliff Ford -
Fred Drake -
P. Scott DeVos -
Stéphane Peillon -
Tino Wildenhain -
Tres Seaver -
Vova