[Zope] zope backward compatibility policy?
Andreas Jung
lists at andreas-jung.com
Mon Jun 13 04:15:39 EDT 2005
--On 13. Juni 2005 09:47:33 +0200 gabor <gabor at nekomancer.net> wrote:
> hi,
>
> what's the backward compatibility policy of zope?
>
> i'm asking because while upgrading from 2.6.4 to 2.7.2 we had some
> problems. simple ones (like the 'lines' property type seems to have
> changed from list to tuple), but still problems.
>From the cvs log of PropertyManager.py
"""
revision 1.56
date: 2004/01/15 22:50:17; author: tseaver; state: Exp; lines: +4 -2
- CGI escape merge (from 2.6 / 2.7 audit).
- Store 'lines' and 'tokens' properties as tuples, not lists (merge from
2.6 / 2.7 audit).
"""
So this change was driven by security issues. And btw. it *is* documented
in the release notes:
"""
- Some property types were stored in a mutable data type (list) which
could potentially allow untrusted code to effect changes on those
properties without going through appropriate security checks in
particular scenarios.
"""
-aj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20050613/8b027290/attachment.bin
More information about the Zope
mailing list