[Zope-dev] weak examples, weak exploits

seb bacon seb@jamkit.com
23 Jun 2003 10:08:15 +0100


On Mon, 2003-06-23 at 09:20, Jamie Heilman wrote:

> I'll submit a fixed Examples.zexp but I need to know how its normally
> prepared, ownership, etc.  Is there anything special I should do?

No.  Just go ahead and make the changes.  It would be instructive for
others reading the examples to add a comment or two explaining the
rationale behind the extra checking code.

The file upload vulnerability was fixed in version 1.3 of Examples.zexp,
though.  The reason it's still turning up in 2.6.x versions is probably
due to upgrades.  Therefore I suppose additionally there should be a
patch which examines the ZODB on startup and prints a warning if an old
Examples folder is present.

seb