[Zope-dev] weak examples, weak exploits

Jamie Heilman jamie@audible.transient.net
Mon, 23 Jun 2003 02:12:58 -0700


seb bacon wrote:
> No.  Just go ahead and make the changes.  It would be instructive for
> others reading the examples to add a comment or two explaining the
> rationale behind the extra checking code.

'k I can do that
 
> The file upload vulnerability was fixed in version 1.3 of Examples.zexp,
> though.  The reason it's still turning up in 2.6.x versions is probably
> due to upgrades.  Therefore I suppose additionally there should be a
> patch which examines the ZODB on startup and prints a warning if an old
> Examples folder is present.

You know, ironically, I don't think this "advisory" even covers that hole.
There's obvious DoS potential in the guest book and such, but thats
easily limited without degrading the value of the example.  Anyway,
I'll scrape over the examples and see what I can clean up.

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"Most people wouldn't know music if it came up and bit them on the ass."
                                                        -Frank Zappa