Kodos 2.3.0 has been released and is available at:
http://kodos.sourceforge.net
Changes since 2.1:
- Added: Support for unicode. Users can now create regular
expressions that contain unicode characters.
- Added: Support for multiple languages (locales) via translation
files. If you're interested in translating Kodos to another language
please email me.
- Normalized the distribution paths so that Kodos can find help files
regardless of distribution.
- Fixed some issues with the RPMs. They should now install correctly.
- Minor bug fixes
- Code cleanup
About Kodos:
Kodos is a regular expression designer, tester, debugger and validator
that allows a developer to create and modify regular expressions
against a test string. The intuitive grahpical interface allows the
developer the ability to modify the regular expression (regex) and to
see the effects against their test string in real-time.
Key Features:
- Matches can be easily viewed and each match can be seen distinctly
- Regex groups and named groups are clearly displayed
- Sample source code is shown so even python developers new to regular
expressions can quickly add the produced regular expressions to their
own projects.
- Ability to load and save your test cases
- Kodos relies on PyQt for the GUI elements.
http://kodos.sourceforge.net
Python XML Marshaller 0.1 is a new XML Marshaller for Python with some
unique features such as transparently accessing XML documents as if they
were Python objects (really) and a binding to XSD in order to determine
the types of Python objects to create when reading XML (numbers, dates,
etc.). The Python XML Marshaller will also create a full XSD for an
arbitrary Python object graph so that it can be recomposed with its
original types. Python 2.3 license. http://www.yared.com/pybypy.
Peter Yared
http://www.yared.com
I would like to announce the first release of PyGDA, a python extension module
for the GNOME Data Access data abstraction library. PyGDA is released under
the GNU Library General Public License.
The module is still very much in an early alpha stage, and this release is
mainly meant to get feedback from adventureous application developers.
The module does not wrap all of libgda yet; none of the reporting features
are supported yet and parts of the main functionality haven't been wrapped
yet either. However, I have been using it for over a month in a program that
is supposed to be taken in production within a few weeks, with no problems.
(which could perhaps in part be attributed to the fact that the program only
performs SQL SELECT queries on a data provider and does not do any writing;
then again, maybe not :)
PyGDA needs Python 2.2 or higher, libgda 1.0.2, and PyGTK 2 to build.
To run, it doesn't need pygtk but it does need the gobject module from
pygtk.
PyGDA 0.0.3 is available from
http://people.debian.org/~mechanix/pygda-0.0.3.tar.gz and a detached gpg
signature from http://people.debian.org/~mechanix/pygda-0.0.3.tar.gz.asc
(my key can be retrieved from keyring.debian.org)
Regards,
Filip
--
"Sometimes it pays to stay in bed on Monday, rather than spending the rest of
the week debugging Monday's code."
-- Dan Salomon
This is the *last* reminder that the deadline for sending proposals
for presentations at PyCon DC 2004 is January 15, 2004. That's
upcoming Thursday!
I'm also reminding everybody, speakers and non-speakers, of the
upcoming deadline for Early Bird Registration: January 31. Until
then, the registration fee is $175 (student rate $125); after that
date, the registration price goes up to $250 (student rate $150).
Don't forget to register! (Sorry, there's no speakers discount.)
If you're coming to the conference, consider coming a few days early
and participate in a coding sprint. Sprints are free (courtesy of the
PSF!), and are held from Saturday March 20 through Tuesday March 23
(i.e. the four days leading up to the conference). For more info on
sprints, see http://pycon.org/dc2004 .
Now back to proposal submissions:
We are interested in any and all submissions about uses of Python and
the development of the language. Since there is expected to be a
strong educational community presence for the next PyCon, teaching
materials of various kinds are also encouraged.
You can submit your proposal at:
http://submit.pycon.org/
For more information about proposals, see:
http://www.pycon.org/dc2004/cfp/
If you have further questions about the submission web interface or
the format of submissions, please write to:
pycon-organizers(a)python.org
We would like to publish all accepted papers on the web. If your
paper is accepted and you prepare an electronic presentation (in PDF,
PythonPoint or PowerPoint) we will also happily publish that on the
web site once PyCon is over.
If you don't want to make a formal presentation, there will be a
significant amount of Open Space to allow for informal and
spur-of-the-moment presentations for which no formal submission is
required. There will also be several Lightning Talk sessions (five
minutes or less).
About PyCon:
PyCon is a community-oriented conference targeting developers (both
those using Python and those working on the Python project). It gives
you opportunities to learn about significant advances in the Python
development community, to participate in a programming sprint with
some of the leading minds in the Open Source community, and to meet
fellow developers from around the world. The organizers work to make
the conference affordable and accessible to all.
PyCon DC 2004 will be held March 24-26, 2004 in Washington, D.C. The
keynote speaker is Mitch Kapor of the Open Source Applications
Foundation (http://www.osafoundation.org/). There will be a four-day
development sprint before the conference.
We're looking for volunteers to help run PyCon. If you're interested,
subscribe to http://mail.python.org/mailman/listinfo/pycon-organizers
Don't miss any PyCon announcements! Subscribe to
http://mail.python.org/mailman/listinfo/pycon-announce
You can discuss PyCon with other interested people by subscribing to
http://mail.python.org/mailman/listinfo/pycon-interest
The central resource for PyCon DC 2004 is http://www.pycon.org/
Pictures from last year's PyCon:
http://www.python.org/cgi-bin/moinmoin/PyConPhotos
I'm looking forward to seeing you all in DC in March!!!
--Guido van Rossum (home page: http://www.python.org/~guido/)
_______________________________________________
Pycon-organizers mailing list
Pycon-organizers(a)python.org
http://mail.python.org/mailman/listinfo/pycon-organizers
Call for Papers:
Middleware 2004
ACM/IFIP/USENIX International Middleware Conference
(society sponsorship pending)
Toronto, Ontario, Canada
October 18th - 22nd, 2004
http://www.eecg.utoronto.ca/middleware2004/
Overview
Requirements for faster development cycles, decreased development
efforts, greater software reuse, and better end-to-end control over
system resources are motivating the creation and use of middleware
systems and middleware-based architectures. Middleware is systems
software that resides between the applications and the underlying
operating systems, network protocol stacks, and hardware. Its primary
role is to functionally bridge the gap between application programs
and the lower-level hardware and software infrastructure in order to
coordinate how application components are connected and how they
interoperate. Furthermore, middleware enables and simplifies the
integration of components developed by multiple technology suppliers.
In this sense middleware systems are sets of services and abstractions
that facilitate the development and deployment of distributed
applications in heterogeneous, distributed, computing environments.
Next-generation distributed applications and systems will increasingly
be developed using middleware. This dependency poses hard challenges,
including latency hiding, masking partial failures, information
assurance and security, legacy integration, dynamic service
partitioning and load balancing, and end-to-end quality of service
specification and enforcement. To address these challenges,
researchers and practitioners need to discover and validate
techniques, patterns, and optimizations for middleware frameworks,
multi-level distributed resource management, and adaptive and
reflective middleware architectures.
Following the success of past conferences in this series, the 5th
International Middleware Conference will be the premier event for
middleware research and technology in 2004. The scope of the
conference is the design, implementation, deployment, and evaluation
of distributed system platforms and architectures for future computing
and communication environments. Highlights of the conference will
include a high quality technical program, tutorials, invited speakers,
poster presentations, and workshops.
The proceedings of Middleware 2004 will be published as a
Springer-Verlag volume in the Lecture Notes in Computer Science
Series. For paper formatting instructions see the Springer-Verlag
guidelines for authors. All papers should be no more than 20 pages in
length. For more detailed submission instructions, please visit the
Middleware 2004 web site.
Topics of Interest
The topics of this conference include, but are not limited to:
Distributed real-time and embedded middleware platforms
Reliable and fault-tolerant middleware platforms
Support for multimedia in middleware platforms
Middleware for Grid computing
Novel quality of service architectures and evaluation techniques
Event-based, publish/subscribe and messaging-oriented middleware platforms
Open architectures for reconfigurable middleware
Adaptive and reflective middleware
Aspect-oriented middleware
Generative programming techniques for middleware development
Middleware protocols and services for information assurance and security
Formal methods and tools for reasoning about middleware systems and
services
Management and use of component-based systems in distributed environments
Applications of middleware technologies, including telematics, command
and control, avionics, and e-commerce
Novel paradigms, APIs, and languages for distributed systems
Integration of middleware with model-integrated computing
architectures, such as the OMG's Model Driven Architecture (MDA)
Extensions and refinements to RM-ODP, CORBA, J2EE, .NET, etc.
Impact of emerging Internet technologies and standards on middleware
platforms
Integration of middleware platforms with Web services and Java
technologies
Distributed systems management and interactive configuration and
development tools
Issues of scalability in existing and new distributed systems platforms
Engineering distributed systems in heterogeneous and mobile networks
Middleware for ubiquitous and mobile computing
Organization
General Chair: Steve Vinoski (IONA Technologies, Inc.)
Program Chair: Hans-Arno Jacobsen (University of Toronto,
Canada)
WiP Papers Chair: Jean Bacon (Cambridge University, UK)
Tutorials Chair: Stefan Tai (IBM T.J. Watson, USA)
Advanced Workshops Chair: Fabio Kon (USP, Brazil)
Posters Chair: Eyal de Lara (University of Toronto, Canada)
Local Arrangements Chair: Baochun Li (University of Toronto, Canada)
Publicity Chair: Cristiana Amza (University of Toronto, Canada)
Program Committee
Gul Agha (U. of Illinois, Urbana Champaign, USA)
Gustavo Alonso (ETH Z�rich, Switzerland)
Jean Bacon (Cambridge U., UK)
Mark Baker (Canada)
Guruduth Banavar (IBM T.J. Watson, USA)
Alejandro Buchmann (Darmstadt U. of Technology, Germany)
Andrew Campbell (Columbia U., USA)
Roy Campbell (U. of Illinois, Urbana Champaign, USA)
Harold Carr (Sun, USA)
Geoff Coulson (Lancaster U., UK)
Prem Devanbu (UC Davis, USA)
Jan DeMeer (IHP-Microelectronics, Germany)
Naranker Dulay (Imperial College, UK)
Markus Endler (PUC-Rio, Brazil)
Mike Feeley (U. of British Columbia, Canada)
Chris Gill (Washington U., St. Louis, USA)
Aniruddha Gokhale (Vanderbilt U., USA)
Peter Honeyman (CITI, U. of Michigan, USA)
Bettina Kemme (McGill U., Canada)
Fabio Kon (U. of S�o Paulo, Brazil)
Doug Lea (SUNY Oswego, USA)Joe Loyall (BBN Technologies, USA)
Edmundo Madeira (U. of Campinas, Brazil)
Keith Moore (HP Laboratories, USA)
Hausi Muller (U. of Victoria, Canada)
Klara Nahrstedt (U. of Illinois, Urbana Champaign, USA)
Dennis Noll (Boeing, USA)
Kerry Raymond (DSTC, Australia)
Luis Rodrigues (U. of Lisboa, Portugal)
Isabelle Rouvellou (IBM T.J. Watson, USA)
Michael Stal (Siemens, Germany)
Rick Schantz (BBN Technologies, USA)
Douglas Schmidt (Vanderbilt U., USA)
Jean-Bernard Stefani (INRIA, Grenoble, France)
Joe Sventek (University of Glasgow, UK)
Janos Sztipanovits (Vanderbilt U., USA)
Stefan Tai (IBM T.J. Watson, USA)
Peter Triantafillou (U. of Patras, Greece)
Nalini Venkatasubramanian (U. of California, Irvine, USA)
Werner Vogels (Cornell U., USA)
Martina Zitterbart (U. of Karlsruhe, Germany)
Submission Deadlines
Abstract submission: Tuesday, March 30th, 2004
Research Papers: Tuesday, April 6th, 2004
Work in Progress Papers: Tuesday, April 6th, 2004
Posters: TBA
Workshop Proposals: Tuesday, March 30th, 2004
Tutorial Proposals: Tuesday, May 11th, 2004
**All deadlines are 11:59pm PST.**
Notification of acceptance (papers): Monday June 14th, 2004
Camera-ready papers due (papers): Monday July 12th, 2004
More Information
For further information and submission instructions, please visit
http://www.eecg.utoronto.ca/middleware2004/ .
We appologize if you receive multiple copies of this message.
===================================================================
Cristiana Amza
Assistant Professor
The Edward Rogers Sr. Department of
Electrical and Computer Engineering
University of Toronto
Middleware Publicity Chair
python-dev Summary for 2003-12-01 through 2003-12-31
++++++++++++++++++++++++++++++++++++++++++++++++++++
This is a summary of traffic on the `python-dev mailing list`_ from
December 1, 2003 through December 31, 2003. It is intended to inform
the wider Python community of on-going developments on the list. To
comment on anything mentioned here, just post to `comp.lang.python`_ (or
email python-list(a)python.org which is a gateway to the newsgroup) with a
subject line mentioning what you are discussing. All python-dev members
are interested in seeing ideas discussed by the community, so don't
hesitate to take a stance on something. And if all of this really
interests you then get involved and join `python-dev`_!
This is the thirty-first and -second summaries written by Brett Cannon
(a friend of a friend actually reads this thing! Hi, Elle).
To contact me, please send email to brett at python.org ; I do not have
the time to keep up on comp.lang.python and thus do not always catch
follow-ups posted there.
All summaries are archived at http://www.python.org/dev/summary/ .
Please note that this summary is written using reStructuredText_ which
can be found at http://docutils.sf.net/rst.html . Any unfamiliar
punctuation is probably markup for reST_ (otherwise it is probably
regular expression syntax or a typo =); you can safely ignore it,
although I suggest learning reST; it's simple and is accepted for `PEP
markup`_ and gives some perks for the HTML output. Also, because of the
wonders of programs that like to reformat text, I cannot guarantee you
will be able to run the text version of this summary through Docutils_
as-is unless it is from the original text file.
.. _PEP Markup: http://www.python.org/peps/pep-0012.html
The in-development version of the documentation for Python can be found
at http://www.python.org/dev/doc/devel/ and should be used when looking
up any documentation on something mentioned here. PEPs (Python
Enhancement Proposals) are located at http://www.python.org/peps/ . To
view files in the Python CVS online, go to
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/python/ . Reported bugs
and suggested patches can be found at the SourceForge_ project page.
The `Python Software Foundation`_ is the non-profit organization that
holds the intellectual property for Python. It also tries to forward
the development and use of Python. But the PSF cannot do this without
donations. You can make a donation at
http://python.org/psf/donations.html . Every penny helps so even a
small donation (you can donate through PayPal or by check) helps.
.. _python-dev: http://www.python.org/dev/
.. _SourceForge: http://sourceforge.net/tracker/?group_id=5470
.. _python-dev mailing list:
http://mail.python.org/mailman/listinfo/python-dev
.. _comp.lang.python: http://groups.google.com/groups?q=comp.lang.python
.. _Docutils: http://docutils.sf.net/
.. _reST:
.. _reStructuredText: http://docutils.sf.net/rst.html
.. _Python Software Foundation: http://python.org/psf/
.. contents::
.. _last summary:
http://www.python.org/dev/summary/2003-10-16_2003-11-15.html
=====================
Summary Announcements
=====================
Sorry if this summary comes off as light, but I caught the flu the week
of Christmas and it developed into walking pneumonia which I still have.
On a more positive note, PyCon is hitting its stride. Online
registration is available at http://pycon.org/dc2004 and early bird
registration ends January 31. Online talk proposal submission is online
at http://submit.pycon.org/ and the deadline is January 15.
=========
Summaries
=========
----------------------------
2.3.3 released to the masses
----------------------------
`Python 2.3.3`_ has gone out the door. Thanks to Anthony Baxter for
being release manager (again!) and to all of python-dev and anyone who
contributed code for this release. With this being a bugfix release
this supercedes 2.3.2 and thus people should upgrade if possible.
.. _Python 2.3.3: http://python.org/2.3.3/
Contributing threads:
- `2.3.3 cycle
<http://mail.python.org/pipermail/python-dev/2003-December/040550.html>`__
- `release23-maint branch CLOSED for release
<http://mail.python.org/pipermail/python-dev/2003-December/040852.html>`__
- `Berkeley support in release23-maint
<http://mail.python.org/pipermail/python-dev/2003-December/041004.html>`__
- `RELEASED Python 2.3.3 (release candidate 1)
<http://mail.python.org/pipermail/python-dev/2003-December/040740.html>`__
- `2.3.3 portability audit
<http://mail.python.org/pipermail/python-dev/2003-December/041167.html>`__
- `2.3.3 and beyond
<http://mail.python.org/pipermail/python-dev/2003-December/041183.html>`__
- `RELEASED Python 2.3.3 (final)
<http://mail.python.org/pipermail/python-dev/2003-December/041286.html>`__
- `status of 2.3 branch for maintenance checkins
<http://mail.python.org/pipermail/python-dev/2003-December/041424.html>`__
----------------------------------
Pie-thon competition work ramps up
----------------------------------
`Dan Sugalski`_, project leader of the Parrot_ VM that will be used for
`Perl 6`_, reminded the list that the benchmark to be used for the
`Pie-thon`_ needed to be written since the bytecode for the benchmark
needed to be frozen.
So Guido wrote some benchmarks. They are in CVS under
nondist/sandbox/parrotbench .
.. _Dan Sugalski: http://www.sidhe.org/~dan/blog/
.. _Parrot: http://www.parrotcode.org/
.. _Perl 6: http://dev.perl.org/perl6/
.. _Pie-thon: http://www.sidhe.org/~dan/blog/archives/000219.html
Contributing threads:
- `Merry December
<http://mail.python.org/pipermail/python-dev/2003-December/040613.html>`__
- `Pie-thon benchmarks
<http://mail.python.org/pipermail/python-dev/2003-December/040963.html>`__
- `Pie-thon benchmark code ready
<http://mail.python.org/pipermail/python-dev/2003-December/041527.html>`__
--------------
PyCon is a go!
--------------
http://www.pycon.org/ has gone live! Registration_ is live (early-bird
ends January 31)! Online talk proposal submission is live (deadline is
January 15)!
.. _Registration: http://www.pycon.org/dc2004
Contributing threads:
- `PyCon DC 2004 - Registration about to open!
<http://mail.python.org/pipermail/python-dev/2003-December/040553.html>`__
- `PyCon DC 2004 - Submissions Now Open
<http://mail.python.org/pipermail/python-dev/2003-December/041012.html>`__
----------------------------------------
operator gains attrgetter and itemgetter
----------------------------------------
The operator module has now gained two new functions: attrgetter and
itemgetter "which are useful for creating fast data extractor functions
for map(), list.sort(), itertools.groupby(), and other functions that
expect a function argument" according to Misc/NEWS .
Contributing threads:
- `Re: "groupby" iterator
<http://mail.python.org/pipermail/python-dev/2003-December/040590.html>`__
-------------------
CObjects and safety
-------------------
Michael Hudson pointed out how CObjects could be misused in Python code.
Various ideas of how to make them safer by checking that the proper
CObject was passed were proposed. The thread seemed to end without a
resolution, though.
Contributing threads:
- `are CObjects inherently unsafe?
<http://mail.python.org/pipermail/python-dev/2003-December/040702.html>`__
-----------------
Unicode is a pain
-----------------
Want proof? How about the fact that you can store a character like "√§"
either as two characters ("a" followed by "previous character has an
umlaut") or as one ("a with an umlaut"). The former is called
"decomposed normal form" and is used in OS X. Windows, of course, uses
the latter version.
Contributing threads:
- `test_unicode_file failing on Mac OS X
<http://mail.python.org/pipermail/python-dev/2003-December/040778.html>`__
------------------
Two new developers
------------------
Hye-Shik Chang has become a developer. You probably know him from his
work on the CJK codecs. He is now an official developer.
Vinay Sajip, implementor of the logging package has also been granted
CVS checkin rights.
Contributing threads:
- `New developer
<http://mail.python.org/pipermail/python-dev/2003-December/040808.html>`__
------------------------
Compiling 2.4 under .NET
------------------------
Martin v. Löwis has started sandbox work on an MSI installer and moving
Python 2.4 over to VC 7.
Contributing threads:
- `Py2.4 pre-alpha snapshot
<http://mail.python.org/pipermail/python-dev/2003-December/040784.html>`__
- `First version of Python MSI available
<http://mail.python.org/pipermail/python-dev/2003-December/041451.html>`__
- `Switching to VC.NET 2003
<http://mail.python.org/pipermail/python-dev/2003-December/041452.html>`__
-----------------------------
New method flag: METH_COEXIST
-----------------------------
Raymond Hettinger, in his continual pursuit of speed, came up with a new
method flag, METH_COEXIST, which causes a method to be used in place of
a slot wrapper. The example that actually led to this is __contains__:
a PyCFunction defining __contains__ tends to be faster than one in the
sq_contains slot thanks to METH_O and other tricks.
Contributing threads:
- `FW: METH_COEXIST
<http://mail.python.org/pipermail/python-dev/2003-December/040940.html>`__
------------------------------
Better relative import support
------------------------------
There was a huge discussion on a better way to handle relative imports
(think of the situation where you have your module ``import sys`` and
you happen to have a module named sys in the same directory; should that
local module be imported or the sys module from the stdlib?). Luckily
Aahz volunteered to write a PEP on the whole thread so I am being spared
from having to summarize the thing. =) Thanks, Aahz.
Contributing threads:
- `Re: Christmas Wishlist
<http://mail.python.org/pipermail/python-dev/2003-December/040973.html>`__
- `Re: Python-Dev Digest, Vol 5, Issue 57
<http://mail.python.org/pipermail/python-dev/2003-December/041078.html>`__
- `Relative import
<http://mail.python.org/pipermail/python-dev/2003-December/041065.html>`__
- `Another Strategy for Relative Import
<http://mail.python.org/pipermail/python-dev/2003-December/041418.html>`__
------------------------------
list.sorted becomes a built-in
------------------------------
Just as the title says, list.sorted has now been moved out of the list
type and has been made a built-in.
Contributing threads:
- `python/dist/src/Python bltinmodule.c,2.304,2.305
<http://mail.python.org/pipermail/python-dev/2003-December/041129.html>`__
--------------------------------
What to do with old Python code?
--------------------------------
Someone rewrote the bisect module in C. This brought up the question of
what to do with the old Python version. Some suggest moving it to the
Demo directory. Others suggest keeping the code but importing the C
version in the Python module. The idea of keeping both was quickly shot
down, though, like in the pickle/cPickle situation.
This discussion is still going at this time.
Contributing threads:
- `SF patch 864863: Bisect C implementation
<http://mail.python.org/pipermail/python-dev/2003-December/041511.html>`__
I'm happy to announce the first release of Shtoom. Shtoom is a Python
implementation of a voice over IP software phone, using the standard SIP
protocol. The first release features:
- basic calling functionality (can make and receive calls),
- Qt, Gtk, Tkinter and text user interfaces (of varying degrees of
functionality),
- audio support for Linux/FreeBSD (using ossaudiodev) and Windows/MacOS X
(using PortAudio),
- audio codecs G711 (64kbit/s) and GSM 06.10 audio (3kbit/s) with an
optional extension,
- firewall traversal via STUN.
It's been tested against Cisco IOS 12.3, Asterisk, kphone and linphone.
It's available from the website: http://shtoom.sf.net/
Future plans include:
- error handling <wink>
- SIP registration support
- A number of other applications, including shtam (answering machine) and
shtoomcu (conferencing server).
Anthony
--
Anthony Baxter <anthony(a)interlink.com.au>
It's never too late to have a happy childhood.
Zope 2.7.0 beta 4 Release and Security Update
Zope 2.7.0 beta 4 contains a number of security related fixes for issues
resolved during a comprehensive security audit conducted in Q4
2003. You may download Zope 2.7.0b4 from Zope.org:
http://www.zope.org/Products/Zope/2.7.0b4/
**Users of the VerboseSecurity add-on product for Zope please note:** some
of
the security-related changes in Zope 2.7.0b4 are incompatible with the
VerboseSecurity
product. Please uninstall the VerboseSecurity product before upgrading to
2.7.0b4 to
avoid problems. It is expected that VerboseSecurity will be updated to be
compatible
with Zope 2.7.0b4 in the near future.
Also note that there are binary code changes in the 2.7.0b4 release,
making
it impossible to issue an external "hotfix" to resolve these issues. CVS
users should be sure to update their sites **and rebuild the C Python
extensions** to ensure that all fixes are deployed.
In the fourth quarter of 2003, a comprehensive evaluation of the changes
to Python from version 2.1 to 2.3.3 was undertaken. This evaluation was
designed to assess each change to the Python environment in terms of its
potential impact on the Zope application server and Zope applications,
with the goal of making Python 2.3.3 the required Python platform for
Zope beginning with Zope 2.7.
The evaluation was focused on assessing changes to Python in the
following contexts:
- Changes that would have compatibility or other effects on existing
or new Zope applications
- Changes that could potentially affect the Zope security architecture
or change the behavior of the restricted execution environment used
by Zope to run untrusted code
In the course of the evaluation, very few of the Python changes in 2.3.3
directly affected the Zope security architecture or had impacts on the
restricted execution model.
However, a number of pre-existing potential issues were discovered and
resolved in the course of the comprehensive security audit that was
performed as a part of the Python upgrade evaluation:
- For loops, list comprehensions, and other iterations in untrusted
code
Issue Description
Iteration over sequences could in some cases fail to check access
to an object obtained from the sequence. Subsequent checks (such
as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- List and dictionary instance methods in untrusted code
Issue Description
List and dictionary instance methods such as the get method of
dictionary objects were not security aware and could return an
object without checking access to that object. Subsequent checks
(such as for attributes access) of such an object would still be
performed, but it should not have been possible to obtain the
object in the first place.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Use of import as in untrusted code
Issue Description
Use of "import as" in Python scripts could potentially rebind
names in ways that could be used to avoid appropriate security
checks.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Use of min, max, enumerate, iter, and sum in untrusted code
Issue Description
A number of newer built-ins were either unavailable in untrusted
code or did not perform adequate security checking.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Broken binding validation in untrusted code
Issue Description
The variables bound to page templates and Python scripts such as
"context" and "container" were not checked adequately, allowing
a script to potentially access those objects without ensuring the
necessary permissions on the part of the executing user.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Unpacking in untrusted code
Issue Description
Unpacking via function calls, variable assignment, exception
variables and other contexts did not perform adequate security
checks, potentially allowing access to objects that should have
been protected.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Unicode passed to RESPONSE.write() could shutdown process
Issue Description
Inadequate type checking could allow unicode values passed to
RESPONSE.write() to be passed into deeper layers of asyncore,
where an exception would eventually be generated at a level that
would cause the Zserver main loop to terminate.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- PythonScript class security not initialized properly
Issue Description
Class security was not properly intialized for PythonScripts,
potentially allowing access to variables that should be protected.
It turned out that most of the security assertions were in fact
activated as a side effect of other code, but this fix is still
appropriate to ensure that all security declarations are properly
applied.
Who Is Affected?
Sites that use Python Scripts.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- XML-RPC instance marshaling may disclose protected values
Issue Description
XML-RPC marshalling of class instances used the instance
__dict__ to marshal the object, and could include attributes
prefixed with an underscore name. These attributes are considered
private in Zope and should generally not be disclosed.
Who Is Affected?
All Zope sites.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
and higher. Affected sites are strongly encouraged to update
their Zope installations to prevent this issue.
- DTML tag dtml-tree may allow DoS attack
Issue Description
The dtml-tree tag used an "eval" of user-supplied data; its
efforts to prevent abuse were ineffective.
Who Is Affected?
All Zope sites.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Potential cross-site scripting problem in default ZSearch interface
Issue Description
Browsers that do not escape html in query strings such as
Internet Explorer 5.5 could potentially send a script tag in a
query string to the ZSearch interface for cross-site scripting.
Who Is Affected?
Sites that use the default ZSearch interface.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
and higher. Affected sites are strongly encouraged to update
their Zope installations to prevent this issue.
- Proxy rights on DTMLMethods transferred via acquisition
Issue Description
DTMLMethods with proxy rights could incorrectly transfer those
rights via acquisition when traversing to a parent object.
Who Is Affected?
Sites that allow users who have increased permissions in
subfolders to write DTMLMethods.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4
and higher. Affected sites are strongly encouraged to update
their Zope installations to prevent this issue.
- Improper security assertions on DTMLDocument objects
Issue Description
Some improper security assertions on DTMLDocument objects could
potentially allow access to members that should be protected.
Who Is Affected?
Sites that use DTMLDocuments for secure content.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- PropertyManager 'lines' and 'tokens' properties stored as list
Issue Description
Some property types were stored in a mutable data type (list) which
could potentially allow untrusted code to effect changes on those
properties without going through appropriate security checks in
particular scenarios.
Who Is Affected?
Sites that allow untrusted users to write Python Scripts, Page
Templates, and DTML.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Inadequate security assertions on admin "find" functions
Issue Description
Inadequate security assertions on administrative "find" methods
could potentially be abused.
Who Is Affected?
All Zope sites.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- ZTUtils.SimpleTree state handling
Issue Description
The ZTUtils SimpleTree decompressed tree state data from the
request without checking for final size, which could allow for
certain types of DoS attacks.
Who Is Affected?
Sites that rely on the ZTUtils.SimpleTree.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher. Affected sites are strongly encouraged to update their
Zope installations to prevent this issue.
- Configuration file did not override security policy selection
Issue Description
This is not really a security issue, just a usability issue. It has
always been possible to alternate between C and Python implemenations
of the Zope security policy using certain environment variables. As
of Zope 2.7, use of environment variables is deprecated in favor of
the new 2.7 configuration files. The new configuration machinery was
not implementing the directive used to override the default security
policy.
Who Is Affected?
Zope 2.7 beta users.
Resolution
This issue is resolved in Zope 2.6.3 and Zope 2.7.0 beta 4 and
higher.
For more information on what is new in this release, see the CHANGES.txt and
HISTORY.txt files for the release:
- http://www.zope.org/Products/Zope/2.7.0b4/CHANGES.txt
- http://www.zope.org/Products/Zope/2.7.0b4/HISTORY.txt
For more information on the available Zope releases, guidance for selecting
the right distribution and installation instructions, please see:
http://www.zope.org/Documentation/Misc/InstallingZope.html
Brian Lloyd brian(a)zope.com
V.P. Engineering 540.361.1716
Zope Corporation http://www.zope.com
http://wwwsearch.sourceforge.net/mechanize/
This is an alpha release.
Changes since 0.0.2a:
* Fixed lots of bugs.
* Link instances may now be passed to .click_link() and .follow_link().
* Added a new example program, pypi.py.
* ClientCookie 0.4.17 and pullparser 0.0.4b are now required (in fact,
they always were, even though they didn't exist ;-).
Requires Python 2.2, ClientCookie >= 0.4.17 (note version!), ClientForm
0.1.x and pullparser >= 0.0.4b.
Stateful programmatic web browsing, after Andy Lester's Perl module
WWW::Mechanize.
Example:
import re
from mechanize import Browser
b = Browser()
b.open("http://www.example.com/")
# follow second link with element text matching regular expression
response = b.follow_link(text_regex=re.compile(r"cheese\s*shop"), nr=1)
b.select_form(name="order")
# Browser passes through unknown attributes (including methods)
# to the selected HTMLForm (from ClientForm).
b["cheeses"] = ["mozzarella", "caerphilly"] # (the method here is __setitem__)
response2 = b.submit() # submit current form
response3 = b.back() # back to cheese shop
response4 = b.reload()
for link in b.forms():
print form
# .links() optionally accepts the keyword args of .follow_/.find_link()
for link in b.links(url_regex=re.compile("python.org")):
print link
b.follow_link(link) # takes EITHER Link instance OR keyword args
b.back()
John
http://wwwsearch.sourceforge.net/ClientForm/
Changes from 0.1.10 to 0.1.15:
The following bugs were fixed in both 0.1.x and 0.0.x:
* TEXTAREA contents are no longer .strip()ped on form parsing.
* Fixed bugs where TEXTAREA or OPTION containing entity reference
would result in truncated element contents.
* A few doc fixes in HTMLForm.__doc__.
* Fixed ImageControl.pairs(): return value contained integer
coordinates instead of strings.
* Empty OPTION no longer causes KeyError.
* ClientForm.urlencode() works with Unicode.
* Minor code clean-up.
The following bugs were fixed only in 0.1.x :
* All form attributes are now available in HTMLForm.attrs
(previously, name, action, method and enctype were not present).
* ignore_errors is now ignored: not working, and a bad idea in the
first place.
* Take note of BASE element.
Requires Python >= 1.5.2.
ClientForm is a Python module for handling HTML forms on the client
side, useful for parsing HTML forms, filling them in and returning the
completed forms to the server. It has developed from a port of Gisle
Aas' Perl module HTML::Form, from the libwww-perl library, but the
interface is not the same.
Simple example:
from urllib2 import urlopen
from ClientForm import ParseResponse
forms = ParseResponse(urlopen("http://www.example.com/form.html"))
form = forms[0]
print form
form["author"] = "Gisle Aas"
# form.click returns a urllib2.Request object
# (see HTMLForm.click_request_data.__doc__ if you're not using urllib2)
response = urlopen(form.click("Thanks"))
John