[Zope] zope backward compatibility policy?

Andreas Jung lists at andreas-jung.com
Mon Jun 13 04:15:39 EDT 2005



--On 13. Juni 2005 09:47:33 +0200 gabor <gabor at nekomancer.net> wrote:

> hi,
>
> what's the backward compatibility policy of zope?
>
> i'm asking because while upgrading from 2.6.4 to 2.7.2 we had some
> problems. simple ones (like the 'lines' property type seems to have
> changed from list to tuple), but still problems.


>From the cvs log of PropertyManager.py

"""
revision 1.56
date: 2004/01/15 22:50:17;  author: tseaver;  state: Exp;  lines: +4 -2


  - CGI escape merge (from 2.6 / 2.7 audit).

  - Store 'lines' and 'tokens' properties as tuples, not lists (merge from
    2.6 / 2.7 audit).
"""

So this change was driven by security issues. And btw. it *is* documented 
in the release notes:

"""
 - Some property types were stored in a mutable data type (list) which
       could potentially allow untrusted code to effect changes on those
       properties without going through appropriate security checks in
       particular scenarios.

"""


-aj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://mail.zope.org/pipermail/zope/attachments/20050613/8b027290/attachment.bin


More information about the Zope mailing list