[Zope-dev] DTML and REQUEST data changes about to be checked in

Toby Dickenson tdickenson@geminidataloggers.com
Fri, 9 Aug 2002 09:56:45 +0100


On Thursday 08 Aug 2002 9:29 pm, Martijn Pieters wrote:
> On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > > I am about to land some big changes in the way DTML deals with data
> > > taken from the REQUEST object when accessed implicitly, in both the
> > > Zope Trunk and the Zope 2.5 branch.
> >
> > In my opinion this change is completely unacceptable at this late sta=
ge
> > of
> >
> > the release cycle. As you said:
> > > These changes could potentially break existing Zope sites.
> >
> > The existing behavior might be flawed, but it is a flaw we have all l=
ived
> > with for a long time. In my opinion this needs:
> >
> > 1. To be deferred until the 2.7 cycle.
> >
> > 2. A detailed fishbowl proposal.
>
> Note that the problems fixed are potential security problems. Although =
we
> cannot fix every site out there for sure, the fixes certainly dramatica=
lly
> reduce the risks.

Im not going to argue that this feature is bad - because I dont believe t=
hat=20
to be true. I suspect the feature is not exactly quite right - but those=20
issues can easily be resolved over a full release cycle.

> The risk for breakage is very small really

Your choice of '<' and html_quote suggests that my dtml code which genera=
tes=20
javascript and vbscript carries a higher risk than dtml which generates h=
tml.

>, and breakage
> will generally only occur when someone is trying to exploit the weaknes=
s,
> not in normal operation of the site.

The fact that your change uses html_quote to 'fix' the problem rather tha=
n=20
sounding 'hacker alert' alarm bells suggests to me that you dont really=20
believe that ;-)

> I'll leave any decisions on wether or not this stays in the current rel=
ease
> cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation
> until next week.