[Zope-dev] DTML and REQUEST data changes about to be checked in
Martijn Pieters
mj@zope.com
Thu, 8 Aug 2002 16:29:06 -0400
On Thu, Aug 08, 2002 at 08:19:12PM +0100, Toby Dickenson wrote:
> > I am about to land some big changes in the way DTML deals with data
> > taken from the REQUEST object when accessed implicitly, in both the Zope
> > Trunk and the Zope 2.5 branch.
>
> In my opinion this change is completely unacceptable at this late stage of
> the release cycle. As you said:
>
> > These changes could potentially break existing Zope sites.
>
> The existing behavior might be flawed, but it is a flaw we have all lived
> with for a long time. In my opinion this needs:
>
> 1. To be deferred until the 2.7 cycle.
>
> 2. A detailed fishbowl proposal.
Note that the problems fixed are potential security problems. Although we
cannot fix every site out there for sure, the fixes certainly dramatically
reduce the risks. The risk for breakage is very small really, and breakage
will generally only occur when someone is trying to exploit the weakness,
not in normal operation of the site.
I'll leave any decisions on wether or not this stays in the current release
cycles or moves to 2.7 to Jim Fulton. He is unfortunately on cvacation until
next week.
--
Martijn Pieters
| Software Engineer mailto:mj@zope.com
| Zope Corporation http://www.zope.com/
| Creators of Zope http://www.zope.org/
---------------------------------------------