[Zope-dev] weak examples, weak exploits

Casey Duncan casey@zope.com
Mon, 23 Jun 2003 10:33:42 -0400


I would be in favor of making the Examples "opt-in" like the Zope tutoria=
l. It=20
seems silly to have it in evey ZODB by default. Make people add it if the=
y=20
want it.

-Casey

On Monday 23 June 2003 05:12 am, Jamie Heilman wrote:
> seb bacon wrote:
> > No.  Just go ahead and make the changes.  It would be instructive for
> > others reading the examples to add a comment or two explaining the
> > rationale behind the extra checking code.
>=20
> 'k I can do that
> =20
> > The file upload vulnerability was fixed in version 1.3 of Examples.ze=
xp,
> > though.  The reason it's still turning up in 2.6.x versions is probab=
ly
> > due to upgrades.  Therefore I suppose additionally there should be a
> > patch which examines the ZODB on startup and prints a warning if an o=
ld
> > Examples folder is present.
>=20
> You know, ironically, I don't think this "advisory" even covers that ho=
le.
> There's obvious DoS potential in the guest book and such, but thats
> easily limited without degrading the value of the example.  Anyway,
> I'll scrape over the examples and see what I can clean up.
>=20
> --=20
> Jamie Heilman                   http://audible.transient.net/~jamie/
> "Most people wouldn't know music if it came up and bit them on the ass.=
"
>                                                         -Frank Zappa
>=20
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://mail.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -=20
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope )
>=20