[Zope] - Some minor problems

Jim Fulton jim@Digicool.com
Tue, 08 Dec 1998 14:43:04 +0000


Ty Sarna wrote:
> 
> My nightly security scan turned up two files in the distribution with
> the SGID bit set:
> 
> Checking setuid files and devices:
> Setuid additions:
> -rw-r-S--- 1 tsarna devel 605 Aug 12 06:03:46 1998 /endicor/home/tsarna/work/netbsd/pkgsrc/www/zope/work/Zope-1.9b1-src/lib/python/App/Setup
> -rw-r-S--- 1 tsarna devel 833 Aug 14 11:49:53 1998 /endicor/home/tsarna/work/netbsd/pkgsrc/www/zope/work/Zope-1.9b1-src/lib/python/OFS/Setup
> 
> Harmless, but should be fixed anyway :^)

Weird.  My checked out (from CVS) version doesn't have this setting
but the release does.  I'm not going to think hard about it. I
just removed these.  They aren't used anymore anyway.

> Also, I've noticed a tendancy for Zope to throw up a lot more
> exceptions, even in "success" situations.  Maybe this is just an extra
> knob that's turned on for betas, or maybe it's a difference in python
> 1.5 exception handling.  Shutdown, for example, works and gives the
> familiar message, but then shows:
> 
> Traceback (innermost last):
>   File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 861, in publish_module
>   File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 583, in publish
>     (Info: /Control_Panel/manage_shutdown)
>   File /usr/pkg/zope/lib/python/App/ApplicationManager.py, line 216, in manage_shutdown
>     (Object: Navigation)
> SystemExit: 0
> 
> A similar thing happens if I enter the management password incorrectly.
> I get the usual message, but then a traceback as well.

These were always "exceptions".  When you click on the
shutdown button, the application calls sys.exit, which raises
a SystemExit.  This has always been the case, but you didn't notice
because tracebacks were in HTML comments.  Similarly, authorization
failures are triggered by raising "Unauthorized".

Your PCGI info file probably has:

BOBO_DEBUG_MODE=1

which turns on a number of debugging features, including
the non-hiding of tracebacks.

BTW, we need to change this to "ZOPE_DEBUG". :)
 
> Also, I copied over the data from a sandbox Principia that I'd been
> playing with here recently, and it worked except for two folder's I
> couln't enter (from the management interface, that is).

Note that we aren't yet asserting that Principia databases are 
supported.  They will be supported by the second or third beta.
OTOH, we are glad when folks do try using them and report problems.

> One contained
> some Aqueduct stuff, the other was my TinyTable testing folder.  Since
> those products weren't installed I didn't expect them to work.  ;-)
> However, I expected to see something like what happend with the SwRI
> site's license file problems, when the icons for ExternalMethods changed
> to a broken document and the title became "this is a broken object".
> However, with Zope the entire folder's manage_main became inacessable:
> 
> Traceback (innermost last):
>   File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 861, in publish_module
>   File /usr/pkg/zope/lib/python/ZPublisher/Publish.py, line 583, in publish
>     (Info: /Testing/manage_main)
>   File /usr/pkg/zope/lib/python/Globals.py, line 222, in __call__
>     (Object: manage_main)
>   File /usr/pkg/zope/lib/python/DocumentTemplate/DT_String.py, line 502, in __call__
>     (Object: manage_main)
>   File /usr/pkg/zope/lib/python/DocumentTemplate/DT_In.py, line 675, in renderwob
>     (Object: objectItems)
>   File /usr/pkg/zope/lib/python/OFS/SimpleItem.py, line 144, in title_and_id
>     (Object: Item)
> AttributeError: id

The machinery for creating "Broken" objects seems to be failing here.
I'll look into it.

Jim


--
Jim Fulton           mailto:jim@digicool.com
Technical Director   (540) 371-6909              Python Powered!
Digital Creations    http://www.digicool.com     http://www.python.org

Under US Code Title 47, Sec.227(b)(1)(C), Sec.227(a)(2)(B) This email
address may not be added to any commercial mail list with out my
permission.  Violation of my privacy with advertising or SPAM will
result in a suit for a MINIMUM of $500 damages/incident, $1500 for
repeats.