Zope application server / web framework
Project description
Zope is an open-source web application server.
This document provides some general information about Zope and provides links to other documents. The full documentation can be found at https://zope.readthedocs.io.
Installation
Please visit the installation documentation at https://zope.readthedocs.io/en/latest/INSTALL.html for detailed installation guidance.
License
Zope is licensed under the OSI-approved Zope Public License (ZPL), version 2.1. The full license text is included in LICENSE.txt.
Bug tracker
Bugs reports should be made through the Zope bugtracker at https://github.com/zopefoundation/Zope/issues. A bug report should contain detailed information about how to reproduce the bug.
Change log
These are all the changes for Zope 5, starting with the alpha releases, since the branch point at Zope 4.1.2.
The change log for the previous version, Zope 4, is at https://github.com/zopefoundation/Zope/blob/4.x/CHANGES.rst
5.8.4 (2023-09-06)
Disable a ZCatalog (more precisly: Products.PluginIndexes) performance test which occasionally fails on GitHub. For details, see #1136.
Restore filename on code objects of objects returned from App.Extensions.getObject(). This got lost in 4.0a6.
Update to newest compatible versions of dependencies.
Add preliminary support for Python 3.12rc1.
Make mapply __signature__ aware. This allows to publish methods decorated via a decorator which sets __signature__ on the wrapper to specify the signature to use. For details, see #1134. Note: mapply still does not support keyword only, var positional and var keyword parameters.
Make Zope’s parameters for denial of service protection configurable #1141 <https://github.com/zopefoundation/Zope/issues/1141>_.
Update RestrictedPython to version 6.2 to mitigate a security problem. (CVE-2023-41039)
Update AccessControl to version 6.2 to mitigate a security problem. (CVE-2023-41050)
5.8.3 (2023-06-15)
5.8.2 (2023-05-22)
Allow ZPublisher to handle both a query string and a request body; the request parameters from the query string are made available in the request attribute form (a dict), the request body can be accessed via the request keys BODY (a bytes object) or BODYFILE (a file like object). Fixes #1122.
Support access to the request’s BODY key for WSGI servers which hand over an unseekable request body (such as e.g. Gunicorn). Fixes #1125.
Do not break on GET requests that pass a query string and a Content-Type header. For details see #1117.
Implement code change suggestions from CodeQL scanning.
Added Japanese translations for some Sphinx docs (#1109)
Update to newest compatible versions of dependencies.
Update zope.ini.in skel to support log paths that use backslashes. (#1106)
5.8.1 (2023-03-17)
Sanitize tainting fixing #1095
Replace cgi.FieldStorage by multipart avoiding the cgi module deprecated by Python 3.11.
Mark binary converters with a true binary attribute.
Fix encoding handling and :bytes converter.
See #1094.
Clean out and refactor dependency configuration files.
Update to newest compatible versions of dependencies.
Support the (non standard) charset parameter for content type application/x-www-form-urlencoded. This is required (e.g. for Plone) because jquery constructs content types of the form `application/x-www-form-urlencoded; charset=utf-8. For details see plone/buildout.coredev#844.
5.8 (2023-01-10)
Only set response header Content-Type as text/html on exception views when the response has content. (#1089)
Drop support for Python 3.6, it has been in end-of-life status for a while.
Update to newest compatible versions of dependencies.
Fix history page for classes modifying instances in __setstate__, such as Products.PythonScripts.PythonScript instances. See launchpad issue 735999.
5.7.3 (2022-12-19)
Explicitly serve App.Dialogs.MessageDialog and exception views as HTML due to the changed default content type from #1075.
5.7.2 (2022-12-17)
Fix some broken ZMI pages due to the changed default content type from PR https://github.com/zopefoundation/Zope/pull/1075 (#1078)
Update to newest compatible versions of dependencies.
5.7.1 (2022-12-16)
Set the published default Content-Type header to text/plain if none has been set explicitly to prevent a cross-site scripting attack. Also remove the old behavior of constructing an HTML page for published methods returning a two-item tuple.
Update to newest compatible versions of dependencies.
5.7 (2022-11-17)
Script addzopeuser accepts now parameter ‘-c’ or ‘–configuration’. This allows passing in a custom location for the zope.conf file to use. If not specified, behavior is not altered.
Update to newest compatible versions of dependencies.
Change functional testing utilities to support percent encoded and unicode paths (#1058).
Decode basic authentication header as utf-8, not latin1 anymore (#1061).
Use UTF-8 charset for WWW-Authenticate headers in challenge responses, as described in RFC7617 ( #1065).
Added :json converter in ZPublisher.Converters. (#957)
Support Python 3.11.
5.6 (2022-09-09)
Make Products.PageTemplate engine compatible with Chameleon 3.10.
Update to newest compatible versions of dependencies.
Start work on Python 3.11 support, which will arrive in a later release.
Fix cookie path parameter handling: If the cookie path value contains % it is assumed to be fully quoted and used as is; if it contains only characters allowed (unquoted) in an URL path (with the exception of ;), it is used as is; otherwise, it is quoted using Python’s urllib.parse.quote (#1052).
5.5.2 (2022-06-28)
Update waitress to version 2.1.2.
Improvements on find_bad_templates(): check Filesystem Page Templates too and show html tags in web report (#1042)
Fix version pin specifications for Python 3.6 compatibility. (#1036)
Quote all components of a redirect URL (not only the path component) (#1027)
Drop the convenience script generation from the buildout configuration in order to get rid of a lot of dependency version pins. These were only needed for maintainers who can install them manually. (#1019)
Update to newest compatible versions of dependencies.
Modify “manage_access” to allow users to switch from the compact view to the complete matrix view when more than 30 roles are defined. (#1039)
Strip leading . in cookie domain names. (#1041)
5.5.1 (2022-04-05)
Update to newest compatible versions of dependencies.
Update waitress to version 2.1.1 to mitigate a vulnerability in that package. As waitress no longer supports Python 3.6 it is not advised to run Zope on Python 3.6 any longer even though it still supports Python 3.6. Due to this security issue support for Python 3.6 is now officially deprecated. It will be removed with Zope version 5.7.
To run bin/buildout inside the Zope project now zc.buildout >= 2.13.7 or zc.buildout >= 3.0.0b1 is required.
5.5 (2022-03-10)
Fix several exceptions when calling ZPublisher.utils.fix_properties.
Update to newest compatible versions of dependencies.
Enhance cookie support. For details, see #1010
Use intermediate str representation for non-bytelike response data unless indicated differently by the content type. (#1006)
Use zc.buildout 3.0rc2 to install Zope to run its tests.
5.4 (2022-01-09)
Audit and fix all hyperlinks in code and documentation
Change zope.org references to zope.dev due to ongoing domain ownership issues. zope.dev is owned by the Plone Foundation and thus safe from interference. XML/ZCML namespace URLs remain unchanged.
Remove all links that are completely dead, such as the old zope.org Collectors issue trackers.
Update all other miscellaneous links to make them work again or remove if the information is gone.
Improve type guessing for the default WebDAV PUT factory (#997)
Enable WebDAV PUT factories to change a newly created object’s ID (#997)
Fix potential race condition in App.version_txt.getZopeVersion (#999)
Don’t coerce file upload fields for adding DTML Documents/Methods to string. This makes the Add forms work again with the ZPublisher converter code changes.
Remove deprecated ulines, utext, utokens, ustring from more code. In the properties form, show a deprecation warning.
Add function ZPublisher.utils.fix_properties. You can call this to fix lines properties to only contain strings, not bytes. It also replaces the deprecated property types ulines, utext, utoken, and ustring with their non-unicode variants. (#987)
Add support for Python 3.10.
Update to newest compatible versions of dependencies.
5.3 (2021-07-31)
Reinstate simple sessioning with Products.TemporaryFolder because the underlying issues with tempstorage have been fixed. (#985)
Update the AccessControl version pin to fix a remote code execution issue (see AccessControl security advisory GHSA-qcx9-j53g-ccgf)
Prevent DeprecationWarnings from moved imports in AccessControl
make sure “Manager” users can always modify proxy roles (see Products.PythonScripts#50)
Deprecate usage of “unicode” converters. Also, the behavior of field2lines is now aligned to the other converters and returns a list of strings instead of a list of bytes. (#962)
Update to newest compatible versions of dependencies.
5.2.1 (2021-06-08)
Prevent unauthorized traversal through authorized Python modules in TAL expressions
Facelift the Zope logo. (#973)
Update to newest compatible versions of dependencies.
5.2 (2021-05-21)
Prevent traversal to names starting with _ in TAL expressions and fix path expressions for the chameleon.tales expression engine.
Provide friendlier ZMI error message for the Transaction Undo form (#964)
Updated/fixed the poll application tutorial in the Zope Developers Guide (#958)
Update to newest versions of dependencies.
Depend on zope.datetime for the functions iso8601_date, rfc850_date, and rfc1123_date which used to be in App.Common keeping backwards-compatibility imports in place.
Backwards incompatible changes
With the exception of field2bytes, field converters do no longer try to read file like objects (#558)
5.1.2 (2021-03-02)
5.1.1 (2021-02-10)
Replace (in OFS) the deprecated direct id access by getId calls. (#903)
Update ZMI dependencies for Font Awesome, jQuery and bootstrap.
Revise debug info GUI (#937)
Convert bytes HTTPResponse header value to str via ISO-8859-1 (the default encoding of HTTP/1.1).
Fix rendering of not found resources. (#933)
Update to newest versions of dependencies.
5.1 (2020-11-12)
Backwards incompatible changes
Exclude characters special for chameleon’s interpolation syntax (i.e. ${}) from use in TALES path expressions to reduce the failure risk for the chameleon interpolation heuristics (#925)
Features
Restore the ZMI Debug Information control panel page (#898)
Fixes
Fix ZMI visibility of pre elements in error log (Products.SiteErrorLog#26)
Fix length for page template repeat variables (#913)
Update isort to version 5. (#892)
Update to newest versions of dependencies.
5.0 (2020-10-08)
Backwards incompatible changes
Drop support for Python 3.5 as it will run out of support soon. (#841)
Features
HTTP header encoding support (#905)
Add support for Python 3.9.
New interface Products.PageTemplates.interfaces.IZopeAwareEngine. It can be used as the “provides” of an adapter registration to adapt a non Zope tales engine to an engine to be used by Zope page templates (#864). Currently, the adaptation is used only when the template is rendered with chameleon; with zope.pagetemplate, the engine is used as is - this may change in the future.
Allow (some) builtins as first element of a (TALES) path expression: in an untrusted context, the builtins from AccessControl.safe_builtins are allowed; in a trusted context, all Python builtins are allowed in addition (and take precedence) (zope.tales#23).
Support the attrs predefined template variable again (as far as chameleon allows it) (#860).
Use Chameleon (>= 3.7.2) configuration to get better information for errors detected during template execution (#837).
Fixes
Provide a more senseful OFS.SimpleItem.Item_w__name__.id to avoid bugs by use of deprecated direct id access (as e.g. (#903).
Update to zope.interface > 5.1.0 to fix a memory leak.
Fix export of files with non-latin-1 compatible names (#890)
Avoid unsolicited translations (#876)
Make “chameleon-zope context wrapping” more faithful. (#873)
Let “unicode conflict resolution” work for all templates (not just ZopePageTemplate). (#872)
Make “Unicode Conflict Resolution” available for templates rendered with chameleon (Products.CMFPlone#3145).
Improve documentation of CONTEXTS in the “Zope Book”.
Decrease cookie size for copy/paste clipboard cookie (#854)
Fix default keyword handling in page templates (#846)
Fix parsing of package version and show correct major version in the ZMI
Improve solidity of the debugError method. (#829)
Fix that ZTUtils.LazyFilter could not be imported inside a restricted Python script. (#901)
Other changes
Add pyupgrade via pre-commit (#859)
Add tal:switch test
5.0a2 (2020-04-24)
Bug fixes
Pin AccessControl 4.2 for the Manage WebDAV Locks permission
Fix HEAD requests on registered views (#816)
Improve chameleon –> zope.tales context wrapper (support for template variable injection) (#812).
Require zope.tales>=5.0.2
Fix issue 717 by fully honoring the engine returned by PageTemplate.pt_getEngine (#717). The engine also decides about the use of zope.tales (engine is an instance of zope.pagetemplate.engine.ZopeBaseEngine) or chameleon.tales (otherwise) TALES expressions.
Fixed encoding issue of displayname WebDAV property (#797)
Fixed fallback implementation of manage_DAVget (#799)
Other changes
Update to newest versions of dependencies.
5.0a1 (2020-02-28)
Backwards incompatible changes
Drop support for Python 2.7 aka Zope 5 cannot be run on Python 2 any more. If you are still running on Python 2.7 upgrade to the latest Zope 4 version first, migrate to Python 3 and than switch to Zope 5. (#692)
Remove all backwards-compatibility code marked to go away in Zope 5 (#478)
Drop support for running Zope with ZServer as it is Python 2 only. (#592)
Remove deprecated postProcessInputs request method. (#782)
Remove deprecated module ZPublisher.maybe_lock. (#758)
Remove Help System methods from the product context. (#756)
Remove more deprecated code. (#757)
Updated Zope documentation sources for Zope 5. (#659)
New features
Restore WebDAV support in Zope. (#744)
Enable WebDAV support independent of ZServer. (#787)
Clean up and sanitize permissions used for WebDAV-related methods.
Add wsgi.file_wrapper implementation https://www.python.org/dev/peps/pep-0333/#optional-platform-specific-file-handling (#719)
Bug fixes
Only use wsgi.file_wrapper for response bodies with a read method. (#763)
Improve detection of HTTPS requests. (#680)
Fix several ZMI links so they respect virtual hosting. (#788)
Fix sort link URLs on manage_main (#748)
More tests to make sure all __str__ implementations return native strings. (#692)
Fix longstanding test bug by forcing the page template engine. Many tests in Products.PageTemplates used the old Zope page template engine because the correct one was not registered during setup.
Close opened db during shutdown (as ZServer is already doing). (#740)
The method unrestrictedTraverse raises an error when the argument path is not something it can work with. (#674)
Improve ZMI Security Tab usability for high numbers of roles. (#730)
Some small ZMI rendering fixes. (#729)
Fix error when using database minimize in the ZMI. (#726)
Fix __getattr__ signature in UnauthorizedBinding. (#703)
Fix VirtualHostMonster not being able to set mappings under Python 3. (#708)
Reduce the danger of acquiring built-in names on the ZMI Find tab. (#712)
Restore the mistakenly removed Properties ZMI tab on Image objects (#706)
Fix OFS.Image.File.__str__ for Pdata contents (#711)
Set REMOTE_USER in wsgi environ using Zope user authentication (#713)
Add Paste as extras_require dependency to pull in Paste when installing with pip and constraints.txt to prevent startup errors. This requires adding the [wsgi] extra in the egg specification. (#734)
Other changes
Move retried request delay handling out of supports_retry (#474)
Improve documentation for Zope’s error logging services.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.