[Zope-dev] Zope 2.1.4 released...
Brian Lloyd
Brian@digicool.com
Wed, 9 Feb 2000 16:54:48 -0500
Hi all,
Zope 2.1.4 has been released. It can be downloaded from
Zope.org at: http://www.zope.org/Products/Zope/2.1.4/
This update prevents the REQUEST object from being traversable
by web clients. While this feature was useful for debugging,
Evan Simpson noted a potential security issue that could allow
web authors to play client scripting tricks and make them appear
(to the user) to be coming from a Zope site.
While we know of no instances of this happening and the actual
security of the Zope site's data is not affected by this, we do
recommend that you upgrade to 2.1.4 to avoid any problems.
Also (I know many of you are already thinking it :), we are
working on a way to distribute "patch" releases for things
like this to make updates easier. Until then, for those who
_really_ just want to patch your installation you can
replace the file lib/python/ZPublisher/BaseRequest.py in
your installation with the one from the 2.1.4 distribution
and restart your Zope instance.
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com