From neilb at nbt.co.za Fri Apr 5 16:21:28 2002 From: neilb at nbt.co.za (Neil Beattie) Date: Fri, 5 Apr 2002 08:21:28 +0200 Subject: [albatross-users] ModularSessionFileApp and windows Message-ID: Hi, Has anyone used ModularSessionFileApp on a windows platform? I have had to do the following to make it work. in sessionfile.py add : import struct in albatross directory rename random.py to Random.py in albatross __init__.py change from random import * to from Random import * Hope this helps, Neil Beattie. From andrewm at object-craft.com.au Fri Apr 5 18:56:28 2002 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Fri, 05 Apr 2002 18:56:28 +1000 Subject: [albatross-users] ModularSessionFileApp and windows In-Reply-To: Your message of "Fri, 05 Apr 2002 08:21:28 +0200." Message-ID: <20020405085628.5095C38F52@coffee.object-craft.com.au> >Has anyone used ModularSessionFileApp on a windows platform? I haven't been able to test it there yet. Sorry. >I have had to do the following to make it work. > >in sessionfile.py >add : import struct > >in albatross directory >rename random.py to Random.py > >in albatross __init__.py > >change >from random import * >to >from Random import * > >Hope this helps, Ouch. Yes, it does. I'll try to come up with a permanent fix before the next release (which probably won't be for a while yet). I have some concerns about the use of the "random" module for generating session keys: they're seeded from the real-time clock, which means an attacker can make a close guess at when a session was started (within a minute or so), and they can then brute-force guess the session ID. All the other web tools I've looked at share this problem, but that doesn't make it any less serious. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From tchur at optushome.com.au Fri Apr 5 21:35:54 2002 From: tchur at optushome.com.au (Tim Churches) Date: Fri, 05 Apr 2002 21:35:54 +1000 Subject: [albatross-users] ModularSessionFileApp and windows References: <20020405085628.5095C38F52@coffee.object-craft.com.au> Message-ID: <3CAD8C1A.BA5475F@optushome.com.au> Andrew McNamara wrote: > > > I have some concerns about the use of the "random" module for generating > session keys: they're seeded from the real-time clock, which means an > attacker can make a close guess at when a session was started (within > a minute or so), and they can then brute-force guess the session ID. > > All the other web tools I've looked at share this problem, but that > doesn't make it any less serious. On Linux and BSD at least, wouldn't it be possible to read some random bytes from /dev/random or /dev/urandom each time a session key was required? My understanding is that these devices collect random bytes from noise on the system bus or somesuch. It is the diesel engines which makes buses noisy, isn't it? Tim C From andrewm at object-craft.com.au Fri Apr 5 20:59:31 2002 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Fri, 05 Apr 2002 20:59:31 +1000 Subject: [albatross-users] ModularSessionFileApp and windows In-Reply-To: Your message of "Fri, 05 Apr 2002 21:35:54 +1000." <3CAD8C1A.BA5475F@optushome.com.au> Message-ID: <20020405105931.8CEE738F53@coffee.object-craft.com.au> >> I have some concerns about the use of the "random" module for generating >> session keys: they're seeded from the real-time clock, which means an >> attacker can make a close guess at when a session was started (within >> a minute or so), and they can then brute-force guess the session ID. > >On Linux and BSD at least, wouldn't it be possible to read some random >bytes from /dev/random or /dev/urandom each time a session key was >required? My understanding is that these devices collect random bytes >from noise on the system bus or somesuch. It is the diesel engines which >makes buses noisy, isn't it? Yep - and Albatross already does this on systems that have /dev/urandom (BTW, Solaris has an optional user-mode emulation of /dev/urandom): this is why I didn't see the name-space clashes in my testing. Kernel /dev/random drivers collect entropy from as many external sources as they can find (interrupts, network timings, mouse and keyboard, and block I/O timings). In linux, at least, this is then fed through an SHA hash to ensure an attacker can't derive any information about the internal state of the entropy pool. /dev/random blocks when the entropy pool is exhasted, whereas /dev/urandom doesn't (essentially becoming a pseudo random number generator, albeit a crypographically secure one). -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From bkc at murkworks.com Tue Apr 16 01:45:53 2002 From: bkc at murkworks.com (Brad Clements) Date: Mon, 15 Apr 2002 11:45:53 -0400 Subject: [albatross-users] Internationalization (lookup?), embedding, licensing Message-ID: <3CBAB952.11185.334A94A2@localhost> Hello albatross users. There are now 5 non-object-craft members on this list :-) -- I'm looking for a nice, small scale web application platform for use in an embedded linux box. I've looked at Zope, Twisted, Webware (don't like Cheetah), Skunkweb and many other platforms. I think Albatross looks best for my needs. 1. licensing - Looks like BSD style license, is that correct? 2. Embedding - Looks small, that's nice 3. Internationalization - I have to support multiple languages and automatically "pick the proper templates" based on the client browser settings. I think I can get the langauge info from request headers.. What I was thinking of doing was using lookup methods for all text.. Then I'd load the appropriate macro set into ctx on each request based on the client preferred language. Does this make sense? Anyone else tackle this problem? 4. Might have to support being an xml-rpc server in the future. I'm assuming I can hook into Request processing somewhere.. anyone try this? Thanks for any thoughts you have. Brad Clements, bkc at murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax AOL-IM: BKClements From bkc at murkworks.com Tue Apr 16 04:59:13 2002 From: bkc at murkworks.com (Brad Clements) Date: Mon, 15 Apr 2002 14:59:13 -0400 Subject: [albatross-users] Internationalization (lookup?), embedding, licensing In-Reply-To: <200204151808.g3FI8OW16117@lewis.abi.tconline.net> References: <3CBAB952.11185.334A94A2@localhost> Message-ID: <3CBAE6A3.23308.33FB96EF@localhost> On 15 Apr 2002 at 13:08, Lewis Bergman wrote: > Try not to put "--" in your message above the sig. Most clients consider > that a sig identifier and can trash the rest. Ooops, I'll use

in the future ;-) > peace of text. How about using a single lookup in the front end that will > redirect to a module with templates set for that language and a default if > it isn't available. Then you only have to evaluate it once. Here's my thoughts on this. The application is pretty simple and it's mostly pages of forums that need to be filled in. So there's a descriptive column and a data entry column. I do not want to give the .html files to translaters since if we want to change the layout we'd have to mess with all these different languages (there will be 12 I think). I agree, using lookup is not as fast as distinct templates for each language but that's going to be a maintenance pita. The embedded system will be a Pentium 100 or equivilant and the web server is the only thing running on it.. and there will most likely be only one web client at a time..cycles to spare. > process anywhere you like. Using the simpleserver module couldn't be > easier. Mine loads diffenrent sets of backend control modules based on what > kind of server it is running on. I expect to use RandomModuleSessionApp > > One thing to note. You probably are not actually wanting to hook into an > xml-rpc server but an xml-rpc client that will talk to a server. I need this thing to also be an xml-rpc server, since my client interface will upscale to using xml-rpc on some pages depending on client capability. -- Brad Clements, bkc at murkworks.com (315)268-1000 http://www.murkworks.com (315)268-9812 Fax AOL-IM: BKClements From andrewm at object-craft.com.au Tue Apr 16 11:40:40 2002 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Tue, 16 Apr 2002 11:40:40 +1000 Subject: [albatross-users] Internationalization (lookup?), embedding, licensing In-Reply-To: Your message of "Mon, 15 Apr 2002 11:45:53 -0400." <3CBAB952.11185.334A94A2@localhost> Message-ID: <20020416014040.9E71A38F50@coffee.object-craft.com.au> >There are now 5 non-object-craft members on this list :-) > >I'm looking for a nice, small scale web application platform for use >in an embedded linux box. I've looked at Zope, Twisted, Webware (don't >like Cheetah), Skunkweb and many other platforms. I think Albatross >looks best for my needs. 8-) >1. licensing - Looks like BSD style license, is that correct? Yes. >2. Embedding - Looks small, that's nice The intention is to keep it small - it should be easy enough for people to understand and extend if they need functionality it doesn't provide. The code should be quite modular: you can probably whittle it down further if you need by removing bits... >3. Internationalization - I have to support multiple languages and >automatically "pick the proper templates" based on the client browser >settings. This is something that we're not good at (internationalization), being english speakers... if you have any ideas about how the Albatross infrastructure can be extended to help, let us know. >I think I can get the langauge info from request headers.. You might be able to fiddle the template_path after parsing the appropriate headers: you could have each language in a separate directory, with standardised file names; selecting a different template_path would give you a different language. >4. Might have to support being an xml-rpc server in the future. I'm >assuming I can hook into Request processing somewhere.. anyone try this? That sounds reasonable. You could also build your own Request class. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From djc at object-craft.com.au Tue Apr 16 20:54:09 2002 From: djc at object-craft.com.au (Dave Cole) Date: 16 Apr 2002 20:54:09 +1000 Subject: [albatross-users] Internationalization (lookup?), embedding, licensing In-Reply-To: <3CBAB952.11185.334A94A2@localhost> References: <3CBAB952.11185.334A94A2@localhost> Message-ID: >>>>> "Brad" == Brad Clements writes: Brad> I'm looking for a nice, small scale web application platform for Brad> use in an embedded linux box. I've looked at Zope, Twisted, Brad> Webware (don't like Cheetah), Skunkweb and many other Brad> platforms. I think Albatross looks best for my needs. Brad> 2. Embedding - Looks small, that's nice Albatross has already been used in an embedded control system. I have been trying to convince the guy to join the mailing list. Brad> 3. Internationalization - I have to support multiple languages Brad> and automatically "pick the proper templates" based on the Brad> client browser settings. Brad> I think I can get the langauge info from request headers.. Yup. Brad> What I was thinking of doing was using lookup methods for all Brad> text.. Then I'd load the appropriate macro set into ctx on each Brad> request based on the client preferred language. You could override the execution context load_template() and load_template_once() to alter the template name based upon the language header from the browser. class MyCtx(SimpleAppContext): def language_vary(self, name): language = self.request.get_header('Accept-Language') if language: return os.path.join(string.split(language, ',')[0], name) return name def load_template(self, name): name = self.language_vary(name) return SimpleAppContext.load_template(name) def load_template_once(self, name): name = self.language_vary(name) return SimpleAppContext.load_template_once(name) With a bit of effort you could make it more robust. Brad> Does this make sense? Anyone else tackle this problem? I think you are the first. Brad> 4. Might have to support being an xml-rpc server in the Brad> future. I'm assuming I can hook into Request processing Brad> somewhere.. anyone try this? I am not so clear on how to do this. You might be able to get away with just doing what Andrew suggested and build a custom Request class. - Dave -- http://www.object-craft.com.au