[Zope-dev] zope and python compatibility
Jamie Heilman
jamie@audible.transient.net
Sat, 11 Jan 2003 08:06:13 -0800
Guido van Rossum wrote:
> > Without python 2.2 zope will continue to harbor remotely exploitable
> > zlib-based memory exhaustion attacks. FWIW
>
> Can you explain? Where does Zope even use zlib?
dtml-tree for one, more recent versions of ztutils' tree code as well
although its mitigated to an extent by some hardcoded length limits;
those are the only two I know of off the top of my head. rlimits will
ensure the zope process doesn't hork the rest of the host, but even
better is using the improved decompression objects available in python
2.2 which allow for low memory usage decompression.
--
Jamie Heilman http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's
not for you." She was cheap, she was stupid and she wouldn't load
-- well, not for me, anyway." -Holly