[Zope] Script (Python) insecure ?

Andreas Jung lists at zopyx.com
Tue Aug 12 14:49:37 EDT 2008



--On 12. August 2008 17:14:15 +0000 Maurits van Rees 
<m.van.rees at zestsoftware.nl> wrote:

> Andreas Jung, on 2008-08-12:
>>>> After rough test: it seems to work for Zope trunk, 2.10 and 2.11
>>>> but has a failure for Zope 2.8.
>>>
>>> I forgot to mention that the hotfix also seems to work for Zope 2.9.
>>> (third-party confirmations are highly appreciated).
>>
>> Update: the hotfix although works for Zope 2.8 (tested with
>> a running Zope instance - however the testrunner does not seem
>> to import Hotfix though the included tests under 2.8 aren't
>> found/executed).
>
> In Zope 2.8, when I place the Hotfix in the Products dir of the
> instance, the two tests pass when I run the tests like this:
>
>   bin/zopectl test --dir=Products/Hotfix_20080812/
>
> That's with: http://www.zope.org/advisories/Hotfix_20080812_0.1.tar.gz
>
> I tested on Zope 2.8, 2.9, 2.10, 2.11.  All with python 2.4.  Without
> the hotfix "raise SystemExit" crashed Zope.  I could not confirm the
> other problem; that just gave me a LookupError.  With the hotfix in
> the Products dir of the instance, the crash did not occur and the
> tests passed.


Thanks for further testing. I released V 0.2 of the hotfix containing
your fixes. The hotfix also works with Zope 2.7...this should be enough.
If there are no objections I would like to release the hotfix officially at 
some time tomorrow.

Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20080812/ebb1be0d/attachment.bin 


More information about the Zope mailing list