[Zope-Checkins] CVS: Zope/doc - CHANGES.txt:1.535.2.19
Martijn Pieters
mj@zope.com
Fri, 4 Oct 2002 10:47:57 -0400
Update of /cvs-repository/Zope/doc
In directory cvs.zope.org:/tmp/cvs-serv4153/doc
Modified Files:
Tag: Zope-2_6-branch
CHANGES.txt
Log Message:
Limit the string length to be decoded; don't cater to DoS attacks (fixes
Collector issue #605).
Also semi-revert an earlier change on detecting depth encodings; testing
only the first character *is* just fine (and cheaper and safer in the face
of a possible DoS attack).
Last but not least provide a changelog entry and rewrap an earlier entry I
made.
=== Zope/doc/CHANGES.txt 1.535.2.18 => 1.535.2.19 ===
--- Zope/doc/CHANGES.txt:1.535.2.18 Thu Oct 3 17:50:38 2002
+++ Zope/doc/CHANGES.txt Fri Oct 4 10:47:25 2002
@@ -40,8 +40,12 @@
ZODB root object. Also, filter functions didn't work.
- Collector #603: ZTUtils.Tree.encodeExpansion encoded depth with '.'
- characters, but decodeExpansion could possibly see an encoded node id as
- an encoded depth when that encoded id started with a '.'.
+ characters, but decodeExpansion could possibly see an encoded node
+ id as an encoded depth when that encoded id started with a '.'.
+
+ - Collector #605: ZTUtils.Tree.decodeExpansion set no limits on the
+ string to be decoded, allowing for a DoS attack with very large
+ strings.
Features Added