ZSQL security restriction with Zope 2-1-6 ?
Date: 04/27/2000 05:09 pm (Thursday) From: Francois-Regis CHALAOUX To: INET:zope@zope.org Subject: ZSQL security restriction with Zope 2-1-6 ? Hi All, Since I upgrade from Zope-2.1.2 to Zope-2.1.6 I HAVE A BIG PROBLEM !!! I create a little application to manage seminars. All the methods to consult these seminars work but all the method to upgrade, create, delete return now ERRORS. My DB is Gadfly. Should I come back to 2.1.2 ? Should I change something in my code? Should I modify Zope-2.1.6? Help, please. FR =========== Environment =========== Linux Suse-6.2 Python 5.2 Zope-2.1.6 upgrade from Zope-2.1.2 with patch Zope-2.1.x-to-2.1.6-linux2-x86.tgz Gadfly =========== Bellow you can find the code of an example and the associated ERROR : ========================== DTML Document saisies.html ========================== <FORM ACTION="insert_seminar_do" METHOD="POST"> Blablabla .... </FORM> =============================== DTML Document insert_seminar_do =============================== Blablabla ... <!--#call "insert_seminar(REQUEST)"--> Blablabla ... ========================= SQL Method insert_seminar ========================= Arguments : titre type jour numero mois annee heure minute nomconf prenomconf titreconf adresseconf lieu nomhote prenomhote url insert into seminar (id, titre, type, jour, numero,mois,annee,heure,minute,floatdate, nomconf, prenomconf, titreconf, adresseconf, lieu, nomhote, prenomhote, url) select max(id)+1, <!--#sqlvar titre type=string-->, <!--#sqlvar type type=string-->, <!--#sqlvar jour type=int-->,<!--#sqlvar numero type=int-->,<!--#sqlvar mois type=int-->, <!--#sqlvar annee type=int-->,<!--#sqlvar heure type=string-->, <!--#sqlvar minute type=string-->, <!--#var "tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])"-->, <!--#sqlvar nomconf type=string-->,<!--#sqlvar prenomconf type=string-->, <!--#sqlvar titreconf type=string-->,<!--#sqlvar adresseconf type=string-->, <!--#sqlvar lieu type=string-->, <!--#sqlvar nomhote type=string-->,<!--#sqlvar prenomhote type=string-->, <!--#sqlvar url type=string--> from seminar ============================= tofltdate is an external method. ============================= import string import sys from DateTime import * def tofltdate(numero,mois,annee): datum = string.join((str(annee) + "/" + str(mois) + "/" + str(numero)) + " 0:00pm US/Eastern" ,'') f = DateTime(datum) return float(f) ######################## Error type: NameError Error value: REQUEST --> </TD></TR></TABLE> </TD> </TR> <TR> <TD BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM COLSPAN="2" WIDTH="150"><IMG SRC="Images/bottombar.gif" ALT="Curve graphic" WIDTH="150" HEIGHT="26" BORDER="0"></TD> <TD ALIGN=CENTER> <HR NOSHADE SIZE="0"> <p class="footlink" align="center"> <A HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do?pp=1">Printable Page</A> <A HREF="mailto:fchalaou@stasbourg.synthelabo.fr">Feedback</a> <A HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do/view_source">DTML Source</a> </p></TD> </TR> </TABLE> </BODY> </HTML> <!-- Traceback (innermost last): File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 214, in publish_module File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 179, in publish File /opt/zope/Zope-2.1.2/lib/python/Zope/__init__.py, line 202, in zpublisher_exception_hook (Object: ElementWithAttributes) File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 165, in publish File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 102, in call_object (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/OFS/DTMLDocument.py, line 166, in __call__ (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: insert_seminar(REQUEST)) (Info: REQUEST) File <string>, line 0, in ? File /opt/zope/Zope-2.1.2/lib/python/Shared/DC/ZRDB/DA.py, line 424, in __call__ (Object: insert_seminar) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: <string>) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])) (Info: REQUEST) File <string>, line 0, in ? NameError: (see above) -- >
Hi, Can you PLEASE stop posting this same message to the list! If it's not getting answered then you need to look at why it's not getting answered rather than just posting the exact same message. Looking in the archives, this is around the 4th or 5th time you've posted exactly the same message. cheers, Chris Francois-Regis CHALAOUX wrote:
Date: 04/27/2000 05:09 pm (Thursday) From: Francois-Regis CHALAOUX To: INET:zope@zope.org Subject: ZSQL security restriction with Zope 2-1-6 ?
Hi All,
Since I upgrade from Zope-2.1.2 to Zope-2.1.6 I HAVE A BIG PROBLEM !!!
I create a little application to manage seminars. All the methods to consult these seminars work but all the method to upgrade, create, delete return now ERRORS. My DB is Gadfly.
Should I come back to 2.1.2 ? Should I change something in my code? Should I modify Zope-2.1.6?
Help, please.
FR
=========== Environment =========== Linux Suse-6.2 Python 5.2 Zope-2.1.6 upgrade from Zope-2.1.2 with patch Zope-2.1.x-to-2.1.6-linux2-x86.tgz Gadfly ===========
Bellow you can find the code of an example and the associated ERROR :
========================== DTML Document saisies.html ========================== <FORM ACTION="insert_seminar_do" METHOD="POST"> Blablabla .... </FORM>
=============================== DTML Document insert_seminar_do =============================== Blablabla ... <!--#call "insert_seminar(REQUEST)"--> Blablabla ...
========================= SQL Method insert_seminar ========================= Arguments : titre type jour numero mois annee heure minute nomconf prenomconf titreconf adresseconf lieu nomhote prenomhote url
insert into seminar (id, titre, type, jour, numero,mois,annee,heure,minute,floatdate, nomconf, prenomconf, titreconf, adresseconf, lieu, nomhote, prenomhote, url) select max(id)+1, <!--#sqlvar titre type=string-->, <!--#sqlvar type type=string-->, <!--#sqlvar jour type=int-->,<!--#sqlvar numero type=int-->,<!--#sqlvar mois type=int-->, <!--#sqlvar annee type=int-->,<!--#sqlvar heure type=string-->, <!--#sqlvar minute type=string-->, <!--#var "tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])"-->, <!--#sqlvar nomconf type=string-->,<!--#sqlvar prenomconf type=string-->, <!--#sqlvar titreconf type=string-->,<!--#sqlvar adresseconf type=string-->, <!--#sqlvar lieu type=string-->, <!--#sqlvar nomhote type=string-->,<!--#sqlvar prenomhote type=string-->, <!--#sqlvar url type=string--> from seminar
============================= tofltdate is an external method. =============================
import string import sys from DateTime import *
def tofltdate(numero,mois,annee): datum = string.join((str(annee) + "/" + str(mois) + "/" + str(numero)) + " 0:00pm US/Eastern" ,'') f = DateTime(datum) return float(f)
########################
Error type: NameError Error value: REQUEST --> </TD></TR></TABLE> </TD> </TR> <TR> <TD BGCOLOR="#6699CC" ALIGN=RIGHT VALIGN=BOTTOM COLSPAN="2" WIDTH="150"><IMG SRC="Images/bottombar.gif" ALT="Curve graphic" WIDTH="150" HEIGHT="26" BORDER="0"></TD>
<TD ALIGN=CENTER> <HR NOSHADE SIZE="0"> <p class="footlink" align="center"> <A HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do?pp=1">Printable Page</A> <A HREF="mailto:fchalaou@stasbourg.synthelabo.fr">Feedback</a> <A HREF="http://sbi2.strasbourg.synthelabo.fr:8080/zseminar/insert_seminar_do/view_source">DTML Source</a> </p></TD> </TR> </TABLE>
</BODY> </HTML>
<!-- Traceback (innermost last): File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 214, in publish_module File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 179, in publish File /opt/zope/Zope-2.1.2/lib/python/Zope/__init__.py, line 202, in zpublisher_exception_hook (Object: ElementWithAttributes) File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 165, in publish File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/ZPublisher/Publish.py, line 102, in call_object (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/OFS/DTMLDocument.py, line 166, in __call__ (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: insert_seminar_do) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: insert_seminar(REQUEST)) (Info: REQUEST) File <string>, line 0, in ? File /opt/zope/Zope-2.1.2/lib/python/Shared/DC/ZRDB/DA.py, line 424, in __call__ (Object: insert_seminar) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__ (Object: <string>) File /opt/zope/Zope-2.1.2/lib/python/DocumentTemplate/DT_Util.py, line 335, in eval (Object: tofltdate(REQUEST['numero'],REQUEST['mois'],REQUEST['annee'])) (Info: REQUEST) File <string>, line 0, in ? NameError: (see above)
-- >
! !
! !
! !
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
+----[ Chris Withers ]--------------------------------------------- | Hi, | | Can you PLEASE stop posting this same message to the list! | | If it's not getting answered then you need to look at why it's not getting | answered rather than just posting the exact same message. It actually has been answered, albeit cryptically about three times in the past 24 hours :-) People having problems with SQL Methods AND 2.1.6 should revert to 2.1.4 until the problems are resolved (I think I remember 2.1.5 being withdrawn due to a bad security problem (I might be wrong)). Andrew Snare posted a good summary of the problems recently under the Subject of "DTML namespace weirdness". (Andrew if you're reading, you should probably post your summary into the Collector if you haven't already). -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
People having problems with SQL Methods AND 2.1.6 should revert to 2.1.4 until the problems are resolved (I think I remember 2.1.5 being withdrawn due to a bad security problem (I might be wrong)).
Andrew Snare posted a good summary of the problems recently under the Subject of "DTML namespace weirdness". (Andrew if you're reading, you should probably post your summary into the Collector if you haven't already).
I've just submitted the info I mentioned earlier in the thread as well, but Andrew's notes are more thorough and would certainly carry more weight on the matter. John -- John Chandler / Software Developer / New Information Paradigms Ltd [ Linux in the office, AmigaOS in the home, PalmOS in the pocket ] ------------------------------------------------------------------------ The opinions above aren't those of my company... ...but then, they aren't really mine either.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <200004281155.VAA22181@mail.theinternet.com.au>, Andrew Kenneth Milton <akm@mail.theinternet.com.au> writes
People having problems with SQL Methods AND 2.1.6 should revert to 2.1.4 until the problems are resolved (I think I remember 2.1.5 being
Is there an archive of the older releases?
withdrawn due to a bad security problem (I might be wrong)).
2.1.5 completely broke ZSQL. - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.com/dynamo - The Homebuilt Dynamo http://www.compkarori.com/dbase - The dBase bulletin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOQxL+bTRdIWzaLpMEQK7UwCeIITyuAJvM/BguBUoN/26KgtYBxgAn1S1 Ywb9NFSwEiNf68nx4rrfXj5p =jyHE -----END PGP SIGNATURE-----
+----[ Graham Chiu ]--------------------------------------------- | | >People having problems with SQL Methods AND 2.1.6 should revert to | >2.1.4 until the problems are resolved (I think I remember 2.1.5 being | | Is there an archive of the older releases? http://www.zope.org/Products/Zope/2.1.6/ http://www.zope.org/Products/Zope/2.1.4/ http://www.zope.org/Products/Zope/2.1.3/ etc... | | >withdrawn due to a bad security problem (I might be wrong)). | | 2.1.5 completely broke ZSQL. I knew something was bad with it... -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | ACN: 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|
participants (6)
-
Andrew Kenneth Milton -
Chris Withers -
Daryl Tester -
Francois-Regis CHALAOUX -
Graham Chiu -
John Chandler