- 16 Jan, 2004 4 commits
-
-
Tres Seaver authored
-
Tres Seaver authored
-
Brian Lloyd authored
-
Brian Lloyd authored
-
- 15 Jan, 2004 18 commits
-
-
Tres Seaver authored
- Don't use bare 'eval' to check filtered set membershp (merge from 2.6 / 2.7 audit).
-
Tres Seaver authored
- ZConfig changes for ZSP.
-
Tres Seaver authored
- Merge a number of entangled issues from 2.6 / 2.7 audit: Iteration over sequences could in some cases fail to check access to an object obtained from the sequence. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. List and dictionary instance methods such as the get method of dictionary objects were not security aware and could return an object without checking access to that object. Subsequent checks (such as for attributes access) of such an object would still be performed, but it should not have been possible to obtain the object in the first place. Use of "import as" in Python scripts could potentially rebind names in ways that could be used to avoid appropriate security checks. A number of newer built-ins were either unavailable in untrusted code or did not perform adequate security checking. Unpacking via function calls, variable assignment, exception variables and other contexts did not perform adequate security checks, potentially allowing access to objects that should have been protected. Class security was not properly intialized for PythonScripts, potentially allowing access to variables that should be protected. It turned out that most of the security assertions were in fact activated as a side effect of other code, but this fix is still appropriate to ensure that all security declarations are properly applied. DTMLMethods with proxy rights could incorrectly transfer those rights via acquisition when traversing to a parent object.
-
Tres Seaver authored
- Wire up security policy selection machinery to ZConfig (note that the 'C' policy is currently borked, but should be fixed very soon).
-
Tres Seaver authored
- Don't allow Unicode strings to be passed to response.write() (merged from 2.6 / 2.7 audit).
-
Tres Seaver authored
- HTTPResponse.py: CGI escapes (merged from 2.6 / 2.7 audit). - xmlrpc.py: Exclude "private" attributes when marshalling an instance as an XML-RPC dict (merged from 2.6 / 2.7 audit).
-
Tres Seaver authored
- SimpleTree.py: CGI escapes (merged from 2.6 / 2.7 audit). - Tree.py: prevent DoS agains tree state cookie decompression (merged from 2.6 / 2.7 audit).
-
Tres Seaver authored
- Prevent DoS attack against decompression of tree state cookie (merged from 2.6 / 2.7 audit).
-
Tres Seaver authored
- Bindings.py: verify access to 'context' and 'container' names before returning (merged from 2.6 / 2.7 audit). - dtml/scriptTry.dtml: CGI escapes (merged from 2.6 / 2.7 audit).
-
Tres Seaver authored
-
Tres Seaver authored
-
Tres Seaver authored
- CGI escape merge (from 2.6 / 2.7 audit). - Store 'lines' and 'tokens' properties as tuples, not lists (merge from 2.6 / 2.7 audit).
-
Tres Seaver authored
- Add security assertions for FindSupport (merge from 2.6 / 2.7 audit).
-
Tres Seaver authored
- Disentangle permission settings for related classes (merge from 2.6 / 2.7 audit).
-
Tres Seaver authored
-
Tres Seaver authored
- Merge CGI-escape templating changes from 2.6 / 2.7 audit work.
-
Tres Seaver authored
- Use 'test.py' as the driver for 'make test', rather than 'utilities/testrunner.py'.
-
Evan Simpson authored
Collector #1074: Change Scripts' __name__ to None, added unit tests for the effect of __name__ on class definitions and imports.
-
- 14 Jan, 2004 4 commits
-
-
Brian Lloyd authored
-
Brian Lloyd authored
-
Brian Lloyd authored
-
Andreas Jung authored
-
- 13 Jan, 2004 3 commits
-
-
Jeremy Hylton authored
Adds an option to spawn a process and capture its I/O. Just a checkpoint because it doesn't do anything with the captured I/O yet.
-
Jeremy Hylton authored
-
Jeremy Hylton authored
Refactor the main SvcDoRun() method to make it a little easier to read. Move the details of log messages to helper methods. Trim comments that explain obvious code. Make log messages read the same as zdaemon log messages.
-
- 11 Jan, 2004 1 commit
-
-
Chris McDonough authored
Don't throw misleading warnings about duplicate products on product path unless there actually are duplicate products on product path.� Also, add unit tests for product initialization.
-
- 08 Jan, 2004 4 commits
-
-
Andreas Jung authored
- Range searches with KeywordIndexes did not work with record-style query parameters
-
Andreas Jung authored
-
Andreas Jung authored
- 07 Jan, 2004 2 commits
-
-
Fred Drake authored
-
Andreas Jung authored
- Using "_usage" parameters in a ZCatalog query is deprecated and logged as DeprecationWarning.
-
- 06 Jan, 2004 4 commits
-
-
Fred Drake authored
-
Fred Drake authored
ZConfig.components.logger, adding only what's special about the zLOG version of the factory
-
Fred Drake authored
-
Andreas Jung authored
logged as DeprecationWarning.
-